AAA commands The device supports the FIPS mode that complies with NIST FIPS 140-2 requirements. Support for features, commands, and parameters might differ in FIPS mode and non-FIPS mode. For more information about FIPS mode, see Security Configuration Guide. General AAA commands aaa nas-id profile Use aaa nas-id profile to create a NAS-ID profile and enter its view, or enter the view of an existing NAS-ID profile.
aaa session-limit Use aaa session-limit to set the maximum number of concurrent users that can log on to the device through the specified method. Use undo aaa session-limit to restore the default maximum number of concurrent users for the specified login method. Syntax In non-FIPS mode: aaa session-limit { ftp | http | https | ssh | telnet } max-sessions...
Syntax accounting command hwtacacs-scheme hwtacacs-scheme-name undo accounting command Default The default accounting methods of the ISP domain are used for command line accounting. Views ISP domain view Predefined user roles network-admin mdc-admin Parameters hwtacacs-scheme hwtacacs-scheme-name: Specifies an HWTACACS scheme by its name, a case-insensitive string of 1 to 32 characters.
Use undo accounting dual-stack to restore the default. Syntax accounting dual-stack { merge | separate } undo accounting dual-stack Default The merge method applies. Views ISP domain view Predefined user roles network-admin mdc-admin Parameters merge: Merges IPv4 data with IPv6 data for accounting. separate: Separates IPv4 data from IPv6 data for accounting.
Page 21
Predefined user roles network-admin mdc-admin Parameters broadcast: Broadcasts accounting requests to servers in RADIUS schemes. radius-scheme radius-scheme-name1: Specifies the primary broadcast RADIUS scheme by its name, a case-insensitive string of 1 to 32 characters. radius-scheme radius-scheme-name2: Specifies the backup broadcast RADIUS scheme by its name, a case-insensitive string of 1 to 32 characters.
Examples # In ISP domain test, perform local accounting for login users. <Sysname> system-view [Sysname] domain test [Sysname-isp-test] accounting login local # In ISP domain test, perform RADIUS accounting for login users based on scheme rd and use local accounting as the backup. <Sysname>...
local: Performs local accounting. none: Does not perform accounting. radius-scheme radius-scheme-name: Specifies a RADIUS scheme by its name, a case-insensitive string of 1 to 32 characters. Usage guidelines You can specify one primary accounting method and multiple backup accounting methods. When the primary method is invalid, the device attempts to use the backup methods in sequence.
Syntax accounting quota-out { offline | online } undo accounting quota-out Default The device logs off users that have used up their data quotas. Views ISP domain view Predefined user roles network-admin mdc-admin Parameters offline: Logs off users that have used up their data quotas. online: Allows users that have used up their data quotas to stay online.
<Sysname> system-view [Sysname] domain test [Sysname-isp-test] accounting start-fail online accounting update-fail Use accounting update-fail to configure access control for users that have failed all their accounting-update attempts. Use undo accounting update-fail to restore the default. Syntax accounting update-fail { [ max-times max-times ] offline | online } undo accounting update-fail Default The device allows users that have failed all their accounting-update attempts to stay online.
Page 27
authentication default hwtacacs-scheme hwtacacs-scheme-name radius-scheme radius-scheme-name ] [ local ] | ldap-scheme ldap-scheme-name [ local ] | local | radius-scheme radius-scheme-name [ hwtacacs-scheme hwtacacs-scheme-name ] [ local ] } undo authentication default Default The default authentication method of an ISP domain is local. Views ISP domain view Predefined user roles...
authentication lan-access Use authentication lan-access to specify authentication methods for LAN users. Use undo authentication lan-access to restore the default. Syntax In non-FIPS mode: authentication lan-access { ldap-scheme ldap-scheme-name [ local ] [ none ] | local [ none ] | none | radius-scheme radius-scheme-name [ local ] [ none ] } undo authentication lan-access In FIPS mode:...
[Sysname] domain test [Sysname-isp-test] authentication lan-access radius-scheme rd local Related commands authentication default hwtacacs scheme ldap scheme local-user radius scheme authentication login Use authentication login to specify authentication methods for login users. Use undo authentication login to restore the default. Syntax In non-FIPS mode: authentication...
Usage guidelines You can specify one primary authentication method and multiple backup authentication methods. When the primary method is invalid, the device attempts to use the backup methods in sequence. For example, the authentication login radius-scheme radius-scheme-name local none command specifies the default primary RADIUS authentication method and two backup methods (local authentication and no authentication).
mdc-admin Parameters local: Performs local authentication. none: Does not perform authentication. radius-scheme radius-scheme-name: Specifies a RADIUS scheme by its name, a case-insensitive string of 1 to 32 characters. Usage guidelines You can specify one primary authentication method and multiple backup authentication methods. When the primary method is invalid, the device attempts to use the backup methods in sequence.
Views ISP domain view Predefined user roles network-admin mdc-admin Parameters ldap-scheme ldap-scheme-name: Specifies an LDAP scheme by its name, a case-insensitive string of 1 to 32 characters. local: Performs local authentication. none: Does not perform authentication. radius-scheme radius-scheme-name: Specifies a RADIUS scheme by its name, a case-insensitive string of 1 to 32 characters.
Default The default authentication methods of the ISP domain are used for user role authentication. Views ISP domain view Predefined user roles network-admin mdc-admin Parameters hwtacacs-scheme hwtacacs-scheme-name: Specifies an HWTACACS scheme by its name, a case-insensitive string of 1 to 32 characters. radius-scheme radius-scheme-name: Specifies a RADIUS scheme by its name, a case-insensitive string of 1 to 32 characters.
Page 34
Default The default authorization methods of the ISP domain are used for command authorization. Views ISP domain view Predefined user roles network-admin mdc-admin Parameters hwtacacs-scheme hwtacacs-scheme-name: Specifies an HWTACACS scheme by its name, a case-insensitive string of 1 to 32 characters. local: Performs local authorization.
The RADIUS authorization configuration takes effect only when the authentication method and authorization method of the ISP domain use the same RADIUS scheme. You can specify one primary authorization method and multiple backup authorization methods. When the default authorization method is invalid, the device attempts to use the backup authorization methods in sequence.
radius-scheme radius-scheme-name: Specifies a RADIUS scheme by its name, a case-insensitive string of 1 to 32 characters. Usage guidelines The RADIUS authorization configuration takes effect only when authentication and authorization methods of the ISP domain use the same RADIUS scheme. You can specify one primary authorization method and multiple backup authorization methods.
Page 38
Views ISP domain view Predefined user roles network-admin mdc-admin Parameters hwtacacs-scheme hwtacacs-scheme-name: Specifies an HWTACACS scheme by its name, a case-insensitive string of 1 to 32 characters. local: Performs local authorization. none: Does not perform authorization. The following default authorization information applies after users pass authentication: •...
authorization portal Use authorization portal to specify authorization methods for portal users. Use undo authorization portal to restore the default. Syntax In non-FIPS mode: authorization portal { local [ none ] | none | radius-scheme radius-scheme-name [ local ] [ none ] } undo authorization portal In FIPS mode: authorization portal { local | radius-scheme radius-scheme-name [ local ] }...
[Sysname-isp-test] authorization portal radius-scheme rd local Related commands authorization default local-user radius scheme authorization-attribute (ISP domain view) Use authorization-attribute to configure authorization attributes for users in an ISP domain. Use undo authorization-attribute to restore the default of an authorization attribute. Syntax authorization-attribute { acl acl-number | car inbound cir committed-information-rate [ pir peak-information-rate ] outbound cir committed-information-rate [ pir peak-information-rate ] |...
idle-cut minutes: Specifies an idle timeout period in minutes. The value range for the minutes argument is 1 to 600. This option is applicable only to portal users. flow: Specifies the minimum traffic that must be generated in the idle timeout period in bytes. The value range is 1 to 10240000, and the default value is 10240.
Page 42
Syntax display domain [ isp-name ] Views Any view Predefined user roles network-admin network-operator mdc-admin mdc-operator Parameters isp-name: Specifies an ISP domain by its name, a case-insensitive string of 1 to 255 characters. If you do not specify an ISP domain, this command displays the configuration of all ISP domains. Examples # Display the configuration of all ISP domains.
Page 43
Accounting update failure action: Online Accounting quota out policy: Offline Service type: HSI Session time: Include idle time Dual-stack accounting method: Merge Authorization attributes: Idle cut : Enabled Idle timeout: 2 minutes Flow: 10240 bytes Traffic direction: Both IP pool: appy Inbound CAR: CIR 64000 bps PIR 640000 bps Outbound CAR: CIR 64000 bps PIR 640000 bps ACL number: 3000...
Page 44
Field Description RADIUS RADIUS scheme. HWTACACS HWTACACS scheme. LDAP LDAP scheme. Local Local scheme. None No authentication, no authorization, or no accounting. Access control for users that encounter accounting-start failures: • Accounting start failure action Online—Allows the users to stay online. •...
Field Description Authorization inbound CAR: • CIR—Committed information rate in bps. Inbound CAR • PIR—Peak information rate in bps. If no inbound CAR is authorized, this field displays N/A. Authorization outbound CAR: • CIR—Committed information rate in bps. Outbound CAR •...
You can modify settings for the system-defined ISP domain system, but you cannot delete this domain. An ISP domain cannot be deleted when it is the default ISP domain. Before you use the undo domain command, change the domain to a non-default ISP domain by using the undo domain default enable command.
<Sysname> system-view [Sysname] domain test [Sysname-isp-test] quit [Sysname] domain default enable test Related commands display domain domain domain if-unknown Use domain if-unknown to specify an ISP domain to accommodate users that are assigned to nonexistent domains. Use undo domain if-unknown to restore the default. Syntax domain if-unknown isp-name undo domain if-unknown...
Examples # Specify ISP domain test to accommodate users that are assigned to nonexistent domains. <Sysname> system-view [Sysname] domain if-unknown test Related commands display domain nas-id bind vlan Use nas-id bind vlan to bind a NAS-ID with a VLAN. Use undo nas-id bind vlan to remove a NAS-ID and VLAN binding. Syntax nas-id nas-identifier bind vlan vlan-id undo nas-id nas-identifier bind vlan vlan-id...
Syntax service-type { hsi | stb | voip } undo service-type Default The service type is hsi for users in an ISP domain. Views ISP domain view Predefined user roles network-admin mdc-admin Parameters hsi: Specifies the High Speed Internet (HSI) service. This service is applicable to users that access the network through 802.1X.
Views ISP domain view Predefined user roles network-admin mdc-admin Usage guidelines Whether to configure the device to include the idle timeout period in the user online duration sent to the server, depending on the accounting policy in your network. Typically, the idle timeout period is assigned by the authorization server after users pass authentication.
Parameters active: Places the ISP domain in active state to allow the users in the ISP domain to request network services. block: Places the ISP domain in blocked state to prevent users in the ISP domain from requesting network services. Usage guidelines By blocking an ISP domain, you disable offline users of the domain from requesting network services.
Examples # Specify the private IPv4 address type for users in ISP domain test. <Sysname> system-view [Sysname] domain test [Sysname-isp-test] user-address-type private-ipv4 Related commands display domain Local user commands access-limit Use access-limit to set the maximum number of concurrent logins using the local user name. Use undo access-limit to restore the default.
authorization-attribute (local user view/user group view) Use authorization-attribute to configure authorization attributes for a local user or user group. After the local user or a local user in the user group passes authentication, the device assigns these attributes to the user. Use undo authorization-attribute to restore the default of an authorization attribute.
Page 54
work-directory directory-name: Specifies the working directory for FTP, SFTP, or SCP users. The directory-name argument is a case-insensitive string of 1 to 255 characters. The directory must already exist. Usage guidelines Configure authorization attributes according to the application environments and purposes. Support for authorization attributes depends on the service types of users.
[Sysname-luser-manage-xyz] authorization-attribute user-role security-audit This operation will delete all other roles of the user. Are you sure? [Y/N]:y Related commands display local-user display user-group bind-attribute Use bind-attribute to configure binding attributes for a local user. Use undo bind-attribute to remove binding attributes of a local user. Syntax bind-attribute { ip ip-address | location interface interface-type interface-number | mac mac-address | vlan vlan-id } *...
• If the user is an 802.1X user, specify the 802.1X-enabled Layer 2 Ethernet interface or Layer 2 aggregate interface. • If the user is a MAC authentication user, specify the MAC authentication-enabled Layer 2 Ethernet interface or Layer 2 aggregate interface. •...
description Use description to configure a description for a network access user. Use undo description to restore the default. Syntax description text undo description Default No description is configured for a network access user. Views Network access user view Predefined user roles network-admin mdc-admin Parameters...
Page 58
network: Network access user. guest: Guest user account. idle-cut { disable | enable }: Specifies local users by the status of the idle cut feature. service-type: Specifies the local users that use a specific type of service. ftp: FTP users. http: HTTP users.
Page 59
User group: system Bind attributes: IP address: 2.2.2.2 Location bound: Ten-GigabitEthernet1/0/1 MAC address: 0001-0001-0001 VLAN ID: Authorization attributes: Idle timeout: 33 minutes Work directory: flash: ACL number: 2000 User role list: network-operator, level-0, level-3 Description: A network access user from company cc Validity period: Start date and time: 2016/01/01-00:01:01...
Page 60
Field Description VLAN ID Binding VLAN of the local user. Authorization attributes Authorization attributes of the local user. Idle timeout Idle timeout period of the user, in minutes. Session-timeout Session timeout timer for the user, in minutes. Work directory Directory that the FTP, SFTP, or SCP user can access. ACL number Authorization ACL of the local user.
display user-group Use display user-group to display user group configuration. Syntax display user-group { all | name group-name } Views Any view Predefined user roles network-admin network-operator mdc-admin mdc-operator Parameters all: Specifies all user groups. name group-name: Specifies a user group by its name, a case-insensitive string of 1 to 32 characters.
Field Description IP pool IPv4 address pool authorized to the user group. IPv6 pool IPv6 address pool authorized to the user group. Password control configurations Password control attributes that are configured for the user group. Password aging Password expiration time. Password length Minimum number of characters that a password must contain.
[Sysname-luser-network(guest)-abc] email abc@yyy.com Related commands display local-user full-name Use full-name to configure the name of a local guest. Use undo full-name to restore the default. Syntax full-name name-string undo full-name Default No name is configured for a local guest. Views Local guest view Predefined user roles network-admin...
mdc-admin Parameters group-name: Specifies the user group name, a case-insensitive string of 1 to 32 characters. Examples # Assign device management user 111 to user group abc. <Sysname> system-view [Sysname] local-user 111 class manage [Sysname-luser-manage-111] group abc Related commands display local-user local-guest email format Use local-guest email format to configure the subject and body for the email notifications of local guest information.
Examples # Configure the subject and body for the email notifications to send to the local guest. <Sysname> system-view [Sysname] local-guest email format to guest subject Guest account information [Sysname] local-guest email format to guest body A guest account has been created for you. The username, password, and validity period of the account are given below.
local-guest email smtp-server Use local-guest email smtp-server to specify an SMTP server to send email notifications of local guests. Use undo local-guest email smtp-server to restore the default. Syntax local-guest email smtp-server url-string undo local-guest email smtp-server Default No SMTP server is specified to send email notifications of local guests. Views System view Predefined user roles...
Page 67
Parameters username-prefix name-prefix: Specifies the name prefix. The name-prefix argument is a case-sensitive string of 1 to 45 characters. The prefix cannot contain any of the following characters: forward slash (/), backslash (\), vertical bar (|), colon (:), asterisk (*), question mark (?), left angle bracket (<), right angle bracket (>), and at sign (@).
display local-user local-guest send-email Use local-guest send-email to send emails to a local guest or guest sponsor. Syntax local-guest send-email user-name user-name to { guest | sponsor } Views User view Predefined user roles network-admin mdc-admin Parameters user-name user-name: Specifies a local guest by user name, a case-sensitive string of 1 to 55 characters.
Page 69
Default No local users exist. Views System view Predefined user roles network-admin mdc-admin Parameters user-name: Specifies the local user name, a case-sensitive string of 1 to 55 characters. The name must meet the following requirements: • Cannot contain a domain name. •...
# Add a local guest named user3 and enter local guest view. Sysname> system-view [Sysname] local-user user3 class network guest [Sysname-luser-network(guest)-user3] Related commands display local-user service-type local-user auto-delete enable Use local-user auto-delete enable to enable the local user auto-delete feature. Use undo local-user auto-delete enable to restore the default.
mdc-admin Parameters class: Specifies the local user type. network: Specifies the network access user. guest: Specifies the local guest. url url-string: Specifies the URL of the destination file, a case-insensitive string of 1 to 255 characters. Usage guidelines You can import the user account information back to the device or to other devices that support the local-user-import command.
Page 72
Parameters class: Specifies the local user type. network: Specifies the network access user. guest: Specifies the local guest. url url-string: Specifies the source file path. The url-string argument is a case-insensitive string of 1 to 255 characters. validity-datetime: Specifies the guest validity period of the local guests. start-date: Specifies the start date of the validity period, in the format of MM/DD/YYYY or YYYY/MM/DD.
The value of each parameter in the file must meet the requirements of the local user attributes on the device. Any violation results in account import failure and interruption. The system displays the number of the line where the account import is interrupted. Separate different account entries by a carriage return and separate each parameter value in an account entry by a comma (,).
In FIPS mode, a device management user does not have a password and cannot pass authentication. Views Device management user view Predefined user roles network-admin mdc-admin Parameters hash: Specifies a password encrypted by the hash algorithm. simple: Specifies a password in plaintext form. For security purposes, the password specified in plaintext form will be stored in encrypted form.
undo password Default A network access user does not have a password and can pass authentication after entering the correct username and passing attribute checks. Views Network access user view Predefined user roles network-admin mdc-admin Parameters cipher: Specifies a password in encrypted form. simple: Specifies a password in plaintext form.
Parameters phone-number: Specifies the phone number, a string of 1 to 32 characters that can contain only digits and hyphens (-). Examples # Specify the phone number as 138-137239201 for local guest abc. <Sysname> system-view [Sysname] local-user abc class network guest [Sysname-luser-network(guest)-abc] phone 138-137239201 Related commands display local-user...
Usage guidelines You can assign multiple service types to a user. Examples # Authorize device management user user1 to use the Telnet and FTP services. <Sysname> system-view [Sysname] local-user user1 class manage [Sysname-luser-manage-user1] service-type telnet [Sysname-luser-manage-user1] service-type ftp Related commands display local-user sponsor-department Use sponsor-department to specify the department of the guest sponsor for a local guest.
Default No email address is specified for the guest sponsor. Views Local guest view Predefined user roles network-admin mdc-admin Parameters email-string: Specifies the email address, a case-sensitive string of 1 to 255 characters. The address must comply with RFC 822. Examples # Specify the email address as Sam@a.com for the guest sponsor of local guest abc.
state (local user view) Use state to set the status of a local user. Use undo state to restore the default. Syntax state { active | block } undo state Default A local user is in active state. Views Local user view Predefined user roles network-admin mdc-admin...
Parameters group-name: Specifies the user group name, a case-insensitive string of 1 to 32 characters. Usage guidelines A user group consists of a group of local users and has a set of local user attributes. You can configure local user attributes for a user group to implement centralized management of user attributes for the local users in the group.
to: Specifies the expiration date and time for the user. If you do not specify this option, the command defines only the validity start date and time of the user. expiration-date: Specifies the expiration date in the format of MM/DD/YYYY or YYYY/MM/DD. The value range for the MM argument is 1 to 12.
Parameters device-id: Specifies a device ID in the range of 1 to 255. Usage guidelines RADIUS uses the value of the Acct-Session-ID attribute as the accounting ID for a user. The device generates an Acct-Session-ID value for each online user based on the system time, random digits, and device ID.
Default The RADIUS class attribute is not interpreted as CAR parameters. Views RADIUS scheme view Predefined user roles network-admin mdc-admin Usage guidelines Configure the device to interpret the RADIUS class attribute if the RADIUS server uses the attribute to deliver CAR parameters for user-based traffic monitoring and control. Examples # In RADIUS scheme radius1, configure the device to interpret the RADIUS class attribute as CAR parameters.
uppercase: Specifies the letters in a MAC address to be in upper case. Usage guidelines Configure the MAC address format for RADIUS attribute 31 to meet the requirements of the RADIUS servers. Examples # In RADIUS scheme radius1, specify the MAC address format as hh:hh:hh:hh:hh:hh for RADIUS attribute 31.
When you configure RADIUS attribute conversion rules, follow these restrictions and guidelines: • The source and destination RADIUS attributes in a rule must use the same data type. • The source and destination RADIUS attributes in a rule cannot use the same name. •...
Usage guidelines The device replaces the attribute in packets that match a RADIUS attribute conversion rule with the destination RADIUS attribute in the rule. The conversion rules take effect only when the RADIUS attribute translation feature is enabled. When you configure RADIUS attribute conversion rules, follow these restrictions and guidelines: •...
Usage guidelines Configure RADIUS attribute rejection rules for the following purposes: • Delete attributes from the RADIUS packets to be sent if the destination RADIUS server does not identify the attributes. • Ignore unwanted attributes in the RADIUS packets received from a RADIUS server. The RADIUS attribute rejection rules take effect only when the RADIUS attribute translation feature is enabled.
Usage guidelines Configure RADIUS attribute rejection rules for the following purposes: • Delete attributes from the RADIUS packets to be sent if the destination RADIUS server does not identify the attributes. • Ignore unwanted attributes in the RADIUS packets received from a RADIUS server. The RADIUS attribute rejection rules take effect only when the RADIUS attribute translation feature is enabled.
Examples # In RADIUS scheme radius1, set the data measurement unit to kilobyte for the Remanent_Volume attribute. <Sysname> system-view [Sysname] radius scheme radius1 [Sysname-radius-radius1] attribute remanent-volume unit kilo-byte Related commands display radius scheme attribute translate Use attribute translate to enable the RADIUS attribute translation feature. Use undo attribute translate to disable the RADIUS attribute translation feature.
Page 92
Use undo client to remove a RADIUS DAC. Syntax client { ip ipv4-address | ipv6 ipv6-address } [ key { cipher | simple } string | vpn-instance vpn-instance-name ] * undo client { ip ipv4-address | ipv6 ipv6-address } [ vpn-instance vpn-instance-name ] Default No RADIUS DACs are specified.
port data-flow-format (RADIUS scheme view) Use data-flow-format to set the data flow and packet measurement units for traffic statistics. Use undo data-flow-format to restore the default. Syntax data-flow-format { data { byte | giga-byte | kilo-byte | mega-byte } | packet { giga-packet | kilo-packet | mega-packet | one-packet } } * undo data-flow-format { data | packet } Default...
display radius scheme Use display radius scheme to display RADIUS scheme configuration. Syntax display radius scheme [ radius-scheme-name ] Views Any view Predefined user roles network-admin network-operator mdc-admin mdc-operator Parameters radius-scheme-name: Specifies a RADIUS scheme by its name, a case-insensitive string of 1 to 32 characters.
Page 95
Weight: 40 Second accounting server: Host name: Not configured : 3.3.3.3 Port: 1813 : Not configured State: Block (Mandatory) Weight: 0 Accounting-On function : Enabled extended function : Enabled retransmission times retransmission interval(seconds) Timeout Interval(seconds) Retransmission Times Retransmission Times for Accounting Update : 5 Server Quiet Period(minutes) Realtime Accounting Interval(seconds) : 22...
Page 96
Field Description Service port number of the server. If no port number is specified, this field Port displays the default port number. MPLS L3VPN instance to which the server or the RADIUS scheme belongs. If no VPN instance is specified for the server, this field displays Not configured.
Field Description RADIUS attribute 25 interpretation status: • Standard—The attribute is not interpreted as CAR parameters. Attribute 25 • CAR—The attribute is interpreted as CAR parameters. Attribute Remanent-Volume Data measurement unit for the RADIUS Remanent_Volume attribute. unit Status of the RADIUS server load sharing feature: •...
Table 7 Command output Field Description Auth. Authentication packets. Acct. Accounting packets. SessCtrl. Session-control packets. Request Packet Number of request packets. Retry Packet Number of retransmitted request packets. Timeout Packet Number of request packets timed out. Access Challenge Number of access challenge packets. Account Start Number of start-accounting packets.
session-id session-id: Specifies a session by its ID. The session-id argument is a string of 1 to 64 characters and cannot contain a letter. A session ID uniquely identifies an online user for a RADIUS scheme. time-range start-time end-time: Specifies a time range. The start time and end time must be in the format of hh:mm:ss-mm/dd/yyyy or hh:mm:ss-yyyy/mm/dd.
Parameters accounting: Specifies the shared key for secure RADIUS accounting communication. authentication: Specifies the shared key for secure RADIUS authentication communication. cipher: Specifies the key in encrypted form. simple: Specifies the key in plaintext form. For security purposes, the key specified in plaintext form will be stored in encrypted form.
Parameters ipv4-address: Specifies an IPv4 address, which must be an address of the device. The IP address cannot be 0.0.0.0, 255.255.255.255, a class D address, a class E address, or a loopback address. ipv6 ipv6-address: Specifies an IPv6 address, which must be a unicast address of the device and cannot be a loopback address or a link-local address.
Views RADIUS DAS view Predefined user roles network-admin mdc-admin Parameters port-number: Specifies a UDP port number in the range of 1 to 65535. Usage guidelines The destination port in DAE packets on the DAC must be the same as the RADIUS DAS port on the DAS.
Page 103
key: Specifies the shared key for secure communication with the primary RADIUS accounting server. cipher: Specifies the key in encrypted form. simple: Specifies the key in plaintext form. For security purposes, the key specified in plaintext form will be stored in encrypted form. string: Specifies the key.
weight weight-value: Specifies a weight value for the RADIUS server. The value range for the weight-value argument is 0 to 100, and the default value is 0. The value 0 indicates that the RADIUS server will not be used for load sharing. This option takes effect only when the RADIUS server load sharing feature is enabled for the RADIUS scheme.
Page 106
undo radius attribute extended [ attribute-name ] Default No user-defined extended RADIUS attributes exist. Views System view Predefined user roles network-admin mdc-admin Parameters attribute-name: Specifies the RADIUS attribute name, a case-insensitive string of 1 to 63 characters. The name must be unique among all RADIUS attributes, including the standard and extended RADIUS attributes.
undo radius dynamic-author server Default The RADIUS DAS feature is disabled. Views System view Predefined user roles network-admin mdc-admin Usage guidelines After you enable the RADIUS DAS feature, the device listens to the RADIUS DAS port to receive DAE packets from specified DACs. Based on the DAE packet type and contents, the device performs one of the following operations: •...
Parameters ipv4-address: Specifies an IPv4 address, which must be an address of the device. The IP address cannot be 0.0.0.0, 255.255.255.255, a class D address, a class E address, or a loopback address. ipv6 ipv6-address: Specifies an IPv6 address, which must be a unicast address of the device and cannot be a loopback address or a link-local address.
undo radius scheme radius-scheme-name Default No RADIUS schemes exist. Views System view Predefined user roles network-admin mdc-admin Parameters radius-scheme-name: Specifies the RADIUS scheme name, a case-insensitive string of 1 to 32 characters. Usage guidelines A RADIUS scheme can be used by more than one ISP domain at the same time. The device supports a maximum of 16 RADIUS schemes.
key: Specifies the shared key for secure communication with the session-control client. cipher: Specifies the key in encrypted form. simple: Specifies the key in plaintext form. For security purposes, the key specified in plaintext form will be stored in encrypted form. string: Specifies the key.
Predefined user roles network-admin mdc-admin Usage guidelines An HPE IMC RADIUS server uses session-control packets to deliver dynamic authorization change requests or disconnection requests to the device. The session-control feature enables the device to receive the RADIUS session-control packets on UDP port 1812. This feature must work with HPE IMC servers.
Usage guidelines You can execute this command multiple times to configure multiple test profiles. If you specify a nonexistent test profile for a RADIUS server, the device does not detect the status of the server until you create the test profile on the device. When you delete a test profile, the device stops detecting the status of the RADIUS servers that use the test profile.
mdc-admin Parameters radius-scheme radius-scheme-name: Specifies a RADIUS scheme by its name, a case-insensitive string of 1 to 32 characters. session-id session-id: Specifies a session by its ID. The session-id argument is a string of 1 to 64 characters and cannot contain a letter. A session ID uniquely identifies an online user for a RADIUS scheme.
If the device does not receive a response to its request from the RADIUS server within the response timeout period, the device retransmits the RADIUS request. To set the response timeout period, use the timer response-timeout command. If the device does not receive a response from the RADIUS server after the maximum number of transmission attempts is reached, the device considers the request a failure.
Usage guidelines Typically, a RADIUS accounting server checks whether a user is online by using a timeout timer. If the server does not receive a real-time accounting request for a user in the timeout period, it considers that a line or device failure has occurred. The server stops accounting for the user. To work with the RADIUS server, the NAS needs to send real-time accounting requests to the server before the timer on the server expires and to keep pace with the server in disconnecting the user when a failure occurs.
Predefined user roles network-admin mdc-admin Parameters retries: Specifies the maximum number of transmission attempts. The value range is 10 to 65535. Usage guidelines The maximum number of stop-accounting request transmission attempts controls the transmission of stop-accounting requests together with the following parameters: •...
Page 118
Predefined user roles network-admin mdc-admin Parameters host-name: Specifies the host name of a secondary RADIUS accounting server, a case-insensitive string of 1 to 253 characters. ipv4-address: Specifies the IPv4 address of a secondary RADIUS accounting server. ipv6 ipv6-address: Specifies the IPv6 address of a secondary RADIUS accounting server. port-number: Specifies the service port number of the secondary RADIUS accounting server.
• When the RADIUS server load sharing feature is enabled, the device returns an accounting failure message rather than searching for another active accounting server. If you remove an actively used accounting server, the device no longer sends users' real-time accounting requests and stop-accounting requests.
Page 120
ipv6 ipv6-address: Specifies the IPv6 address of a secondary RADIUS authentication server. port-number: Specifies the service port number of the secondary RADIUS authentication server. The value range for the UDP port number is 1 to 65535. The default setting is 1812. key: Specifies the shared key for secure communication with the secondary RADIUS authentication server.
Examples # In RADIUS scheme radius1, specify a secondary authentication server with IP address 10.110.1.2 and UDP port 1812. <Sysname> system-view [Sysname] radius scheme radius1 [Sysname-radius-radius1] secondary authentication 10.110.1.2 1812 # In RADIUS scheme radius2, specify two secondary authentication servers with IP addresses 10.110.1.1 and 10.110.1.2 and UDP port 1812.
When SNMP notifications for RADIUS are enabled, the device supports the following notifications generated by RADIUS: • RADIUS server unreachable notification—The RADIUS server cannot be reached. RADIUS generates this notification if it cannot receive any response to an accounting or authentication request within the specified RADIUS request transmission attempts.
When the RADIUS server load sharing feature is enabled, the device checks the weight value and number of currently served users only for servers in active state. The most appropriate active server is selected for communication. When the primary server and all secondary servers are in blocked state, the device tries to communicate with the primary server.
vpn-instance vpn-instance-name: Specifies an MPLS L3VPN instance to which the secondary RADIUS server belongs. The vpn-instance-name argument is a case-sensitive string of 1 to 31 characters. active: Specifies the active state, the normal operation state. block: Specifies the blocked state, the out-of-service state. Usage guidelines If you do not specify an IP address, this command changes the status of all configured secondary RADIUS servers.
Default The device buffers the RADIUS stop-accounting requests to which no responses have been received. Views RADIUS scheme view Predefined user roles network-admin mdc-admin Usage guidelines This command enables the device to buffer a RADIUS stop-accounting request that has no response after the maximum transmission attempts (set by using the retry command) have been made.
A timer that is too short might result in frequent authentication or accounting failures. This is because the device will continue to attempt to communicate with an unreachable server that is in active state. A timer that is too long might temporarily block a reachable server that has recovered from a failure. This is because the server will remain in blocked state until the timer expires.
Number of users Real-time accounting interval 500 to 999 12 minutes 1000 or more 15 minutes or longer Examples # In RADIUS scheme radius1, set the real-time accounting interval to 51 minutes. <Sysname> system-view [Sysname] radius scheme radius1 [Sysname-radius-radius1] timer realtime-accounting 51 Related commands retry realtime-accounting timer response-timeout (RADIUS scheme view)
Examples # In RADIUS scheme radius1, set the RADIUS server response timeout timer to 5 seconds. <Sysname> system-view [Sysname] radius scheme radius1 [Sysname-radius-radius1] timer response-timeout 5 Related commands display radius scheme retry user-name-format (RADIUS scheme view) Use user-name-format to specify the format of the username to be sent to a RADIUS server. Use undo user-name-format to restore the default.
[Sysname] radius scheme radius1 [Sysname-radius-radius1] user-name-format without-domain Related commands display radius scheme vpn-instance (RADIUS scheme view) Use vpn-instance to specify an MPLS L3VPN instance for a RADIUS scheme. Use undo vpn-instance to restore the default. Syntax vpn-instance vpn-instance-name undo vpn-instance Default The RADIUS scheme belongs to the public network.
Syntax data-flow-format { data { byte | giga-byte | kilo-byte | mega-byte } | packet { giga-packet | kilo-packet | mega-packet | one-packet } } * undo data-flow-format { data | packet } Default Traffic is counted in bytes and packets. Views HWTACACS scheme view Predefined user roles...
Page 132
Predefined user roles network-admin network-operator mdc-admin mdc-operator Parameters hwtacacs-scheme-name: Specifies an HWTACACS scheme by its name, a case-insensitive string of 1 to 32 characters. If you do not specify an HWTACACS scheme, this command displays the configuration of all HWTACACS schemes. statistics: Displays the HWTACACS service statistics.
Page 133
Table 10 Command output Field Description Index Index number of the HWTACACS scheme. Primary Auth Server Primary HWTACACS authentication server. Primary Author Server Primary HWTACACS authorization server. Primary Acct Server Primary HWTACACS accounting server. Secondary Auth Server Secondary HWTACACS authentication server. Secondary Author Server Secondary HWTACACS authorization server.
Field Description Unknown type response packets Number of unknown-type response packets. Dropped response packets Number of dropped response packets. Number of received PassAdd response packets. The packets PassAdd response packets indicate that all requested authorization attributes are assigned and additional authorization attributes are added. Number of received PassReply response packets.
Table 12 Command output Field Description First sending time Time when the stop-accounting request was first sent. Number of attempts that were made to send the stop-accounting Attempts request. Related commands reset stop-accounting-buffer (for HWTACACS) retry stop-accounting (HWTACACS scheme view) stop-accounting-buffer enable (HWTACACS scheme view) user-name-format (HWTACACS scheme view) hwtacacs nas-ip...
As a best practice, specify a loopback interface address as the source IP address for outgoing HWTACACS packets to avoid HWTACACS packet loss caused by physical port errors. If you use both the nas-ip command and hwtacacs nas-ip command, the following guidelines apply: •...
Examples # Create an HWTACACS scheme named hwt1 and enter HWTACACS scheme view. <Sysname> system-view [Sysname] hwtacacs scheme hwt1 [Sysname-hwtacacs-hwt1] Related commands display hwtacacs scheme key (HWTACACS scheme view) Use key to set the shared key for secure HWTACACS authentication, authorization, or accounting communication.
<Sysname> system-view [Sysname] hwtacacs scheme hwt1 [Sysname-hwtacacs-hwt1] key authentication simple 123456TESTauth&! # Set the shared key to 123456TESTautr&! in plaintext form for secure HWTACACS authorization communication. [Sysname-hwtacacs-hwt1] key authorization simple 123456TESTautr&! # Set the shared key to 123456TESTacct&! in plaintext form for secure HWTACACS accounting communication.
As a best practice, specify a loopback interface address as the source IP address for outgoing HWTACACS packets to avoid HWTACACS packet loss caused by physical port errors. If you use both the nas-ip command and hwtacacs nas-ip command, the following guidelines apply: •...
key: Specifies the shared key for secure communication with the primary HWTACACS accounting server. cipher: Specifies the key in encrypted form. simple: Specifies the key in plaintext form. For security purposes, the key specified in plaintext form will be stored in encrypted form. string: Specifies the key.
Page 143
Syntax primary authentication { host-name | ipv4-address | ipv6 ipv6-address } [ port-number | key { cipher | simple } string | single-connection | vpn-instance vpn-instance-name ] * undo primary authentication Default The primary HWTACACS authentication server is not specified. Views HWTACACS scheme view Predefined user roles...
If the specified server resides on an MPLS L3VPN, specify the VPN instance by using the vpn-instance vpn-instance-name option. The VPN instance specified by this command takes precedence over the VPN instance specified for the HWTACACS scheme. You can remove an authentication server only when it is not used for user authentication. Removing an authentication server affects only authentication processes that occur after the remove operation.
simple: Specifies the key in plaintext form. For security purposes, the key specified in plaintext form will be stored in encrypted form. string: Specifies the key. This argument is case sensitive. • In non-FIPS mode, the encrypted form of the key is a string of 1 to 373 characters. The plaintext form of the key is a string of 1 to 255 characters.
Syntax retry stop-accounting retries undo retry stop-accounting Default The maximum number of transmission attempts for individual HWTACACS stop-accounting requests is 100. Views HWTACACS scheme view Predefined user roles network-admin mdc-admin Parameters retries: Specifies the maximum number of transmission attempts for HWTACACS stop-accounting requests.
Page 148
Parameters host-name: Specifies the host name of a secondary HWTACACS accounting server, a case-insensitive string of 1 to 253 characters. ipv4-address: Specifies the IPv4 address of a secondary HWTACACS accounting server. ipv6 ipv6-address: Specifies the IPv6 address of a secondary HWTACACS accounting server. port-number: Specifies the service port number of the secondary HWTACACS accounting server.
keyword, the device establishes a new TCP connection each time it exchanges authentication packets with the secondary authentication server for a user. vpn-instance vpn-instance-name: Specifies an MPLS L3VPN instance to which the secondary HWTACACS authentication server belongs. The vpn-instance-name argument is a case-sensitive string of 1 to 31 characters.
Page 151
Views HWTACACS scheme view Predefined user roles network-admin mdc-admin Parameters host-name: Specifies the host name of a secondary HWTACACS authorization server, a case-insensitive string of 1 to 253 characters. ipv4-address: Specifies the IPv4 address of a secondary HWTACACS authorization server. ipv6 ipv6-address: Specifies the IPv6 address of a secondary HWTACACS authorization server.
You can remove an authorization server only when it is not used for user authorization. Removing an authorization server affects only authorization processes that occur after the remove operation. Examples # In HWTACACS scheme hwt1, specify a secondary authorization server with IP address 10.163.155.13, TCP port number 49, and plaintext shared key 123456TESTautr&!.
Related commands display stop-accounting-buffer (for HWTACACS) reset stop-accounting-buffer (for HWTACACS) timer quiet (HWTACACS scheme view) Use timer quiet to set the quiet timer for the servers specified in an HWTACACS scheme. Use undo timer quiet to restore the default. Syntax timer quiet minutes undo timer quiet Default...
mdc-admin Parameters minutes: Specifies the real-time accounting interval in minutes, in the range of 0 to 60. Setting this interval to 0 disables the device from sending online user accounting information to the HWTACACS accounting server. Usage guidelines For real-time accounting, a NAS must transmit the accounting information of online users to the HWTACACS accounting server periodically.
Usage guidelines HWTACACS is based on TCP. When the server response timeout timer or the TCP timeout timer times out, the device is disconnected from the HWTACACS server. The client timeout period of the associated access module cannot be shorter than the total response timeout timer of all HWTACACS servers in the scheme.
Examples # In HWTACACS scheme hwt1, configure the device to remove the ISP domain name from the usernames sent to the HWTACACS servers. <Sysname> system-view [Sysname] hwtacacs scheme hwt1 [Sysname-hwtacacs-hwt1] user-name-format without-domain Related commands display hwtacacs scheme vpn-instance (HWTACACS scheme view) Use vpn-instance to specify an MPLS L3VPN instance for an HWTACACS scheme.
Use undo attribute-map to restore the default. Syntax attribute-map map-name undo attribute-map Default An LDAP scheme does not use an LDAP attribute map. Views LDAP scheme view Predefined user roles network-admin mdc-admin Parameters map-name: Specifies an LDAP attribute map by its name, a case-insensitive string of 1 to 31 characters.
Predefined user roles network-admin mdc-admin Parameters server-name: Specifies the name of an existing LDAP server, a case-insensitive string of 1 to 64 characters. Usage guidelines You can specify only one LDAP authentication server in an LDAP scheme. If you execute this command multiple times, the most recent configuration takes effect.
[Sysname-ldap-ldap1] authorization-server ccc Related commands display ldap scheme ldap server display ldap scheme Use display ldap scheme to display LDAP scheme configuration. Syntax display ldap scheme [ ldap-scheme-name ] Views Any view Predefined user roles network-admin network-operator mdc-admin mdc-operator Parameters ldap-scheme-name: Specifies an LDAP scheme by its name, a case-insensitive string of 1 to 32 characters.
Page 160
LDAP protocol version : LDAPv3 Server timeout interval : 10 seconds Login account DN : Not configured Base DN : Not configured Search scope : all-level User searching parameters: User object class : Not configured Username attribute : cn Username format : with-domain Attribute map : map1...
Syntax ip ip-address [ port port-number ] [ vpn-instance vpn-instance-name ] undo ip Default An LDAP server does not have an IP address. Views LDAP server view Predefined user roles network-admin mdc-admin Parameters ip-address: Specifies the IP address of the LDAP server. port port-number: Specifies the TCP port number of the LDAP server.
Predefined user roles network-admin mdc-admin Parameters ipv6-address: Specifies the IPv6 address of the LDAP server. port port-number: Specifies the TCP port number of the LDAP server. The value range for the port-number argument is 1 to 65535, and the default value is 389. vpn-instance vpn-instance-name: Specifies an MPLS L3VPN instance to which the LDAP server belongs.
Usage guidelines Execute this command multiple times to create multiple LDAP attribute maps. You can add multiple mapping entries to an LDAP attribute map. Each entry defines the mapping between an LDAP attribute and an AAA attribute. Examples # Create an LDAP attribute map named map1 and enter LDAP attribute map view. <Sysname>...
ldap server Use ldap server to create an LDAP server and enter its view, or enter the view of an existing LDAP server. Use undo ldap server to delete an LDAP server. Syntax ldap server server-name undo ldap server server-name Default No LDAP servers exist.
Parameters dn-string: Specifies the administrator DN for binding with the server, a case-insensitive string of 1 to 255 characters. Usage guidelines The administrator DN specified on the device must be consistent with the administrator DN configured on the LDAP server. If you change the administrator DN, the change is effective only on the LDAP authentication that occurs after the change.
Page 166
[Sysname] ldap server ccc [Sysname-ldap-server-ccc] login-password simple abcdefg Related commands display ldap scheme login-dn Use map to configure a mapping entry in an LDAP attribute map. Use undo map to delete the specified mapping entries from the LDAP attribute map. Syntax map ldap-attribute ldap-attribute-name [ prefix prefix-value delimiter delimiter-value ] aaa-attribute user-group...
[Sysname-ldap-map-map1] map ldap-attribute memberof prefix cn= delimiter , aaa-attribute user-group Related commands ldap attribute-map user-group protocol-version Use protocol-version to specify the LDAP version. Use undo protocol-version to restore the default. Syntax protocol-version { v2 | v3 } undo protocol-version Default The LDAP version is LDAPv3.
Syntax search-base-dn base-dn undo search-base-dn Default No base DN is specified for user search. Views LDAP server view Predefined user roles network-admin mdc-admin Parameters base-dn: Specifies the base DN for user search, a case-insensitive string of 1 to 255 characters. Examples # Specify the base DN for user search as dc=ldap,dc=com for LDAP server ccc.
Examples # Specify the search scope for the LDAP authentication as all subdirectories of the base DN for LDAP server ccc. <Sysname> system-view [Sysname] ldap server ccc [Sysname-ldap-server-ccc] search-scope all-level Related commands display ldap scheme ldap server server-timeout Use server-timeout to set the LDAP server timeout period, the maximum time that the device waits for an LDAP response.
Syntax user-parameters { user-name-attribute { name-attribute | cn | uid } | user-name-format { with-domain | without-domain } | user-object-class object-class-name } undo user-parameters { user-name-attribute | user-name-format | user-object-class } Default The LDAP username attribute is cn and the username format is without-domain. No user object class is specified and the default user object class of the LDAP server is used.
Views Any view Predefined user roles network-admin network-operator mdc-admin mdc-operator Examples # Display information about all activated RADIUS clients. <Sysname> display radius-server active-client Total 2 RADIUS clients. Client IP: 2.2.2.2 Client IP: 3.3.3.3 Related commands radius-server client display radius-server active-user Use display radius-server active-user to display information about activated RADIUS users.
Username: test Description: A network access user from company cc Authorization attributes: VLAN ID: 2 ACL number: 2000 Validity period: Expiration time: 2015/04/03-18:00:00 # Display information about all activated RADIUS users. <Sysname> display radius-server active-user Total 2 RADIUS users matched. Username: 123 Description: A network access user from company cc Authorization attributes:...
Syntax radius-server activate Views System view Predefined user roles network-admin mdc-admin Usage guidelines Use this command to immediately activate the most recent RADIUS server configuration after you have added, modified, or deleted RADIUS clients and network access users from which RADIUS user data is generated.
Page 174
string: Specifies a case-sensitive key string. The encrypted form of the key is a string of 1 to 117 characters. The plaintext form of the key is a string of 1 to 64 characters. all: Specifies all RADIUS clients. Usage guidelines The IP address of a RADIUS client must be the same as the source IP address for outgoing RADIUS packets specified on the RADIUS client.
802.1X commands display dot1x Use display dot1x to display information about 802.1X. Syntax display dot1x [ sessions | statistics ] [ interface interface-type interface-number ] Views Any view Predefined user roles network-admin network-operator mdc-admin mdc-operator Parameters sessions: Displays 802.1X session information. statistics: Displays 802.1X statistics.
Page 176
Online 802.1X wired users Ten-GigabitEthernet1/0/1 is link-up 802.1X authentication : Enabled Handshake : Enabled Handshake reply : Disabled Handshake security : Disabled Unicast trigger : Disabled Periodic reauth : Disabled Port role : Authenticator Authorization mode : Auto Port access control : Port-based Multicast trigger : Enabled...
Page 177
Field Description Performs EAP termination and uses CHAP to communicate with the CHAP authentication RADIUS server. Relays EAP packets and supports any of the EAP authentication EAP authentication methods to communicate with the RADIUS server. Performs EAP termination and uses PAP to communicate with the PAP authentication RADIUS server.
Page 178
Field Description Access control method of the port: • MAC-based—MAC-based access control. Port access control • Port-based—Port-based access control. Multicast trigger Whether the 802.1X multicast trigger feature is enabled. Mandatory auth domain Mandatory authentication domain on the port. 802.1X guest VLAN configured on the port. Guest VLAN If no 802.1X guest VLAN is configured on the port, this field displays Not configured.
Field Description Status and mode of the 802.1X guest VSI assignment delay feature on a port: • EAPOL only—EAPOL-triggered 802.1X guest VSI assignment delay is enabled. • NewMAC only—New MAC-triggered 802.1X guest VSI Add Guest VSI delay assignment delay is enabled. •...
Page 180
mdc-operator Parameters open: Displays information only about 802.1X users that use nonexistent usernames or incorrect passwords for network access in open authentication mode. If you do not specify this keyword, the command displays information about all online 802.1X users. interface interface-type interface-number: Specifies a port by its type and number. If you do not specify a port, this command displays online 802.1X user information for all ports.
Page 181
Field Description User MAC address MAC address of the user. Access interface Interface through which the user access the device. Access state of the user. • Successful—The user passes 802.1X authentication and comes User access state online. • Open—The user uses a nonexistent username or an incorrect password to come online in open authentication mode.
display dot1x mac-address Use display dot1x mac-address to display MAC address information of 802.1X users in 802.1X VLANs or VSIs of a specific type. Syntax display dot1x mac-address { auth-fail-vlan | auth-fail-vsi | critical-vlan | critical-vsi | guest-vlan | guest-vsi } [ interface interface-type interface-number ] Views Any view Predefined user roles...
MAC addresses: 8 0800-2700-9427 0800-2700-2341 0800-2700-2324 0800-2700-2351 0800-2700-5627 0800-2700-2251 0800-2700-8624 0800-2700-3f51 Interface: Ten-GigabitEthernet1/0/4 Auth-Fail VSI: text1-vsi Aging time: 30 sec MAC addresses: 2 0801-2700-9427 0801-2700-2341 Table 18 Command output Field Description Total number of MAC addresses in the specified VLAN or VSI on the Total MAC addresses specified port or all ports.
Views System view Layer 2 Ethernet interface view Layer 2 aggregate interface view Predefined user roles network-admin mdc-admin Usage guidelines For the 802.1X feature to take effect on a port, you must enable the feature both globally and on the port.
successful-login: Specifies logs generated for successful logins of 802.1X users. Usage guidelines As a best practice, disable this feature to prevent excessive output of logs for 802.1X users. If you do not specify any parameters, this command enables all logging functions for 802.1X users. Examples # Enable logging for login failures of 802.1X users.
Related commands display dot1x dot1x authentication-method Use dot1x authentication-method to specify an EAP message handling method. Use undo dot1x authentication-method to restore the default. Syntax dot1x authentication-method { chap | eap | pap } undo dot1x authentication-method Default The access device performs EAP termination and uses CHAP to communicate with the RADIUS server.
If this mode is used, the user-name-format command configured in RADIUS scheme view does not take effect. For more information about the user-name-format command, see "RADIUS commands." If RADIUS authentication is used, you must configure the access device to use the same authentication method (PAP, CHAP, or EAP) as the RADIUS server.
<Sysname> system-view [Sysname] interface ten-gigabitethernet 1/0/1 [Sysname-Ten-GigabitEthernet1/0/1] dot1x auth-fail vlan 100 Related commands display dot1x dot1x auth-fail vsi Use dot1x auth-fail vsi to configure an 802.1X Auth-Fail VSI on a port. Use undo dot1x auth-fail vsi to restore the default. Syntax dot1x auth-fail vsi authfail-vsi-name undo dot1x auth-fail vsi...
dot1x critical eapol Use dot1x critical eapol to enable the sending of an EAP-Success packet to a client when the 802.1X client user is assigned to the 802.1X critical VLAN on a port. Use undo dot1x critical eapol to restore the default. Syntax dot1x critical eapol undo dot1x critical eapol...
Default No 802.1X critical VLAN exists on a port. Views Layer 2 Ethernet interface view Layer 2 aggregate interface view Predefined user roles network-admin mdc-admin Parameters critical-vlan-id: Specifies the ID of the 802.1X critical VLAN on the port. The value range for the VLAN ID is 1 to 4094.
Predefined user roles network-admin mdc-admin Parameters critical-vsi-name: Specifies the name of the 802.1X critical VSI on the port, a case-sensitive string of 1 to 31 characters. Usage guidelines An 802.1X critical VSI accommodates users that have failed 802.1X authentication because all the RADIUS servers in their ISP domains are unreachable.
• The port is configured with the voice VLAN. To configure a voice VLAN on a port, use the voice-vlan enable command (see Layer 2—LAN Switching Command Reference). • LLDP is enabled both globally and on the port. The device uses LLDP to identify voice users. For information about LLDP commands, see Layer 2—LAN Switching Command Reference.
If a username string contains multiple configured delimiters, the device takes the rightmost delimiter in the username string as the domain name delimiter. For example, if you configure the forward slash (/), dot (.), and backslash (\) as delimiters, the domain name delimiter for the username string 121.123/22\@abc is the backslash (\).
undo dot1x ead-assistant url Default No redirect URL exists for EAD assistant. Views System view Predefined user roles network-admin mdc-admin Parameters url-string: Specifies the redirect URL, a case-sensitive string of 1 to 256 characters in the format http://string or https://string. If the specified URL does not start with http:// or https://, the URL is considered to start with http:// by default.
Views Layer 2 Ethernet interface view Layer 2 aggregate interface view Predefined user roles network-admin mdc-admin Usage guidelines This command enables the device to send 802.1X protocol packets out of an 802.1X-enabled port without VLAN tags. Use this command to prevent terminal devices connected to the port from failing 802.1X authentication when the following conditions exist: •...
Usage guidelines An 802.1X guest VLAN accommodates users that have not performed 802.1X authentication. In the guest VLAN, users can access a limited set of network resources, such as a software server, to download anti-virus software and system patches. You cannot specify a VLAN as both a super VLAN and an 802.1X guest VLAN on a port. For more information about super VLANs, see Layer 2—LAN Switching Configuration Guide.
When 802.1X authentication is triggered on a port, the device performs the following operations: Sends a unicast EAP-Request/Identity packet to the MAC address that triggers the authentication. Retransmits the packet if no response has been received within the username request timeout interval set by using the dot1x timer tx-period command.
You can configure only one 802.1X guest VSI on a port. The 802.1X guest VSIs on different ports can be different. On a port, the 802.1X guest VSI configuration is mutually exclusive with the 802.1X guest VLAN, 802.1X Auth-Fail VLAN, and 802.1X critical VLAN settings. Examples # Specify VSI vsiuser as the 802.1X guest VSI on Ten-GigabitEthernet 1/0/1.
Assigns the port to the 802.1X guest VSI after the maximum number of request attempts set by using the dot1x retry command is reached. If you use the undo command without any keyword, the command disables both EAPOL-triggered and new MAC-triggered 802.1X guest VSI assignment delays on a port. Examples # Enable EAPOL-triggered 802.1X guest VSI assignment delay on Ten-GigabitEthernet 1/0/1.
Related commands display dot1x dot1x timer handshake-period dot1x retry dot1x handshake reply enable Use dot1x handshake reply enable to enable the 802.1X online user handshake reply feature. Use undo dot1x handshake reply enable to disable the 802.1X online user handshake reply feature.
Default The online user handshake security feature is disabled. Views Layer 2 Ethernet interface view Layer 2 aggregate interface view Predefined user roles network-admin mdc-admin Usage guidelines The online user handshake security feature enables the device to prevent users from using illegal client software.
Parameters mac-address: Specifies a MAC address in the format of H-H-H, excluding broadcast, multicast, and all-zero MAC addresses. all: Specifies all MAC addresses that are bound to a port. Usage guidelines This command takes effect only when the 802.1X MAC address binding feature takes effect. 802.1X MAC address binding entries, both manually added and automatically generated, never age out.
The 802.1X MAC address binding feature automatically binds MAC addresses of authenticated 802.1X users to the users' access port and generates 802.1X MAC address binding entries. 802.1X MAC address binding entries, both automatically generated and manually added, never age out. They can survive a user logoff or a device reboot. To delete an entry, you must use the undo dot1x mac-binding mac-address command.
Default ISP domain. Examples # Specify my-domain as the mandatory authentication domain for 802.1X users on Ten-GigabitEthernet 1/0/1. <Sysname> system-view [Sysname] interface ten-gigabitethernet 1/0/1 [Sysname-Ten-GigabitEthernet1/0/1] dot1x mandatory-domain my-domain Related commands display dot1x dot1x max-user Use dot1x max-user to set the maximum number of concurrent 802.1X users on a port. Use undo dot1x max-user to restore the default.
Use undo dot1x multicast-trigger to disable the 802.1X multicast trigger feature. Syntax dot1x multicast-trigger undo dot1x multicast-trigger Default The 802.1X multicast trigger feature is enabled. Views Layer 2 Ethernet interface view Layer 2 aggregate interface view Predefined user roles network-admin mdc-admin Usage guidelines The multicast trigger feature enables the device to act as the initiator.
mdc-admin Parameters authorized-force: Places the port in authorized state, enabling users on the port to access the network without authentication. auto: Places the port initially in unauthorized state to allow only EAPOL packets to pass, and places the port in authorized state after a user passes authentication. You can use this option in most scenarios.
Default The 802.1X periodic reauthentication feature is disabled. Views Layer 2 Ethernet interface view Layer 2 aggregate interface view Predefined user roles network-admin mdc-admin Usage guidelines Periodic reauthentication enables the access device to periodically authenticate online 802.1X users on a port. This feature tracks the connection status of online users and updates the authorization attributes assigned by the server, such as the ACL and VLAN.
[Sysname] interface ten-gigabitethernet 1/0/1 [Sysname-Ten-GigabitEthernet1/0/1] dot1x re-authenticate manual Related commands dot1x re-authenticate dot1x re-authenticate server-unreachable keep-online Use dot1x re-authenticate server-unreachable keep-online to enable the keep-online feature on a port. Use undo dot1x re-authenticate server-unreachable to restore the default. Syntax dot1x re-authenticate server-unreachable keep-online undo dot1x re-authenticate server-unreachable Default The keep-online feature is disabled on a port.
Default A maximum of two attempts are made to send an authentication request to a client. Views System view Predefined user roles network-admin mdc-admin Parameters retries: Specifies the maximum number of attempts for sending an authentication request to a client. The value range is 1 to 10.
Page 212
• Periodic reauthentication timer: 3600 seconds. • Server timeout timer: 100 seconds. • Client timeout timer: 30 seconds. • Username request timeout timer: 30 seconds. Views System view Predefined user roles network-admin mdc-admin Parameters ead-timeout ead-timeout-value: Specifies the EAD rule timer in minutes. The value range for the ead-timeout-value argument is 1 to 1440.
• Periodic reauthentication timer (reauth-period)—Sets the interval at which the network device periodically reauthenticates online 802.1X users. To enable 802.1X periodic reauthentication on a port, use the dot1x re-authenticate command. • Server timeout timer (server-timeout)—Starts when the access device sends a RADIUS Access-Request packet to the authentication server.
Usage guidelines The device reauthenticates online 802.1X users on a port at the specified periodic reauthentication interval when the port is enabled with periodic reauthentication. To enable periodic reauthentication on a port, use the dot1x re-authenticate command. A change to the periodic reauthentication timer applies to online users only after the old timer expires.
Predefined user roles network-admin mdc-admin Parameters interface interface-type interface-number: Specifies a port by its type and number. mac-address mac-address: Specifies the MAC address of an 802.1X user in the guest VLAN. If you do not specify this option, the command removes all 802.1X users from the 802.1X guest VLAN on the port.
Page 217
Views User view Predefined user roles network-admin mdc-admin Parameters interface interface-type interface-number: Specifies a port by its type and number. If you do not specify a port, this command clears 802.1X statistics on all ports. Examples # Clear 802.1X statistics on Ten-GigabitEthernet 1/0/1. <Sysname>...
MAC authentication commands display mac-authentication Use display mac-authentication to display MAC authentication settings and statistics. Syntax display mac-authentication [ interface interface-type interface-number ] Views Any view Predefined user roles network-admin network-operator mdc-admin mdc-operator Parameters interface interface-type interface-number: Specifies a port by its type and number. If the specified port is not enabled with MAC authentication, this command displays only global MAC authentication information.
Page 219
Auth-delay period : 60 s Periodic reauth : Enabled Reauth period : 120 s Re-auth server-unreachable : Logoff Guest VLAN : 100 Guest VLAN auth-period : 150 s Critical VLAN : Not configured Critical voice VLAN : Disabled Host mode : Multiple VLAN Offline detection : Enabled...
Page 220
Field Description MAC authentication domain specified in system view. Authentication domain If no authentication domain is specified in system view, this field displays Not configured, use default domain. Number of wired online MAC authentication users, including users Online MAC-auth wired users that have passed MAC authentication and users that are performing MAC authentication.
Field Description If parallel processing of MAC authentication and 802.1X authentication is disabled, this field displays Default. Authentication order If parallel processing of MAC authentication and 802.1X authentication is enabled, this field displays Parallel. MAC authentication guest VSI configured on the port. Guest VSI If no MAC authentication guest VSI is configured, this field displays Not configured.
Page 222
interface interface-type interface-number: Specifies a port by its type and number. If you do not specify a port, this command displays information about online MAC authentication users for all ports. slot slot-number: Specifies a card by its slot number. If you do not specify a card, this command displays information about online MAC authentication users for all cards.
Field Description Access state of the user: • Successful—The user passes MAC authentication and comes User access state online. • Open—The user uses a nonexistent username or an incorrect password to come online in open authentication mode. Authentication domain MAC authentication domain to which the user belongs. IPv4 address of the user.
Page 224
mdc-admin mdc-operator Parameters critical-vlan: Specifies the MAC authentication critical VLAN. critical-vsi: Specifies the MAC authentication critical VSI. guest-vlan: Specifies the MAC authentication guest VLAN. guest-vsi: Specifies the MAC authentication guest VSI. interface interface-type interface-number: Specifies a port by its type and number. If you do not specify a port, this command displays MAC address information of MAC authentication users in the specified MAC authentication VLAN or VSI on all ports.
Field Description VLAN or VSI information for MAC authentication users. The Type argument has the following values: • Critical VLAN. Type VLAN/VSI • Critical VSI. • Guest VLAN. • Guest VSI. MAC address aging time in seconds. Aging time This field displays N/A if the MAC addresses do not age out. MAC addresses Number of matching MAC addresses on a port.
Syntax mac-authentication carry user-ip undo mac-authentication carry user-ip Default A MAC authentication request does not include the user IP address. Views Layer 2 Ethernet interface view Layer 2 aggregate interface view Predefined user roles network-admin mdc-admin Usage guidelines This command solves the IP conflict issue which might be caused by users' IP address modification. After you configure this command, users cannot pass MAC authentication if the IP and MAC information in the authentication requests do not match the users' IP-MAC mappings on the IMC server.
Default No MAC authentication critical VLAN exists on a port. Views Layer 2 Ethernet interface view Layer 2 aggregate interface view Predefined user roles network-admin mdc-admin Parameters critical-vlan-id: Specifies a VLAN as the MAC authentication critical VLAN. The value range for the VLAN ID is 1 to 4094.
Views Layer 2 Ethernet interface view Layer 2 aggregate interface view Predefined user roles network-admin mdc-admin Parameters critical-vsi-name: Specifies the name of the MAC authentication critical VSI on the port, a case-sensitive string of 1 to 31 characters. Usage guidelines The MAC authentication critical VSI accommodates users that have failed MAC authentication because all the servers in their ISP domains are unreachable.
Usage guidelines The MAC authentication critical voice VLAN on a port accommodates MAC authentication voice users that have failed authentication because none of the RADIUS servers in their ISP domain are reachable. Before you enable the MAC authentication critical voice VLAN on the port, make sure the following requirements are met: •...
Parameters domain-name: Specifies the name of an ISP domain, a case-insensitive string of 1 to 255 characters. Usage guidelines The global authentication domain applies to all MAC authentication-enabled ports. An authentication domain specified in Layer 2 Ethernet interface view or Layer 2 aggregate interface view applies only to the port.
passwords entered. You can deploy a limited set of network resources in the MAC authentication guest VLAN. For example, a software server for downloading software and system patches. You cannot specify a VLAN as both a super VLAN and a MAC authentication guest VLAN on a port. For more information about super VLANs, see Layer 2—LAN Switching Configuration Guide.
Related commands display mac-authentication mac-authentication guest-vlan mac-authentication guest-vsi Use mac-authentication guest-vsi to configure a MAC authentication guest VSI on a port. Use undo mac-authentication guest-vsi to restore the default. Syntax mac-authentication guest-vsi guest-vsi-name undo mac-authentication guest-vsi Default No MAC authentication guest VSI exists on a port. Views Layer 2 Ethernet interface view Layer 2 aggregate interface view...
mac-authentication guest-vsi auth-period Use mac-authentication guest-vsi auth-period to set the interval at which the device authenticates users in the MAC authentication guest VSI. Use undo mac-authentication guest-vsi auth-period to restore the default. Syntax mac-authentication guest-vsi auth-period period-value undo mac-authentication guest-vsi auth-period Default The device authenticates users in the MAC authentication guest VSI every 30 seconds.
Views Layer 2 Ethernet interface view Layer 2 aggregate interface view Predefined user roles network-admin mdc-admin Usage guidelines The MAC authentication multi-VLAN mode prevents an authenticated online user from service interruption caused by VLAN changes on a port. When the port receives a packet sourced from the user in a VLAN not matching the existing MAC-VLAN mapping, the device neither logs off the user nor reauthenticates the user.
Usage guidelines Set the maximum number of concurrent MAC authentication users on a port to prevent the system resources from being overused. When the maximum number is reached, the port denies subsequent MAC authentication users. Examples # Configure Ten-GigabitEthernet 1/0/1 to support a maximum of 32 concurrent MAC authentication users.
mac-authentication parallel-with-dot1x Use mac-authentication parallel-with-dot1x to enable parallel processing of MAC authentication and 802.1X authentication on a port. Use undo mac-authentication parallel-with-dot1x to restore the default. Syntax mac-authentication parallel-with-dot1x undo mac-authentication parallel-with-dot1x Default Parallel processing of MAC authentication and 802.1X authentication is disabled on a port. Views Layer 2 Ethernet interface view Layer 2 aggregate interface view...
mac-authentication re-authenticate Use mac-authentication re-authenticate to enable the periodic MAC reauthentication feature on a port. Use undo mac-authentication re-authenticate to disable the periodic MAC reauthentication feature on a port. Syntax mac-authentication re-authenticate undo mac-authentication re-authenticate Default The periodic MAC reauthentication feature is disabled on a port. Views Layer 2 Ethernet interface view Layer 2 aggregate interface view...
Default The keep-online feature is disabled on a port. The device logs off online MAC authentication users if no server is reachable for MAC reauthentication. Views Layer 2 Ethernet interface view Layer 2 aggregate interface view Predefined user roles network-admin mdc-admin Usage guidelines The keep-online feature keeps authenticated MAC authentication users online when no server is...
Parameters auth-delay auth-delay-time: Specifies the delay time for MAC authentication in seconds. The value range is 1 to 180. reauth-period reauth-period-value: Specifies the port-specific periodic MAC reauthentication timer in seconds. The value range is 60 to 7200. Usage guidelines When both 802.1X authentication and MAC authentication are enabled on a port, you can delay MAC authentication so that 802.1X authentication is preferentially triggered.
Page 241
• The quiet timer is 60 seconds. • The global periodic MAC reauthentication timer is 3600 seconds. • The server timeout timer is 100 seconds. Views System view Predefined user roles network-admin mdc-admin Parameters offline-detect offline-detect-value: Specifies the offline detect timer in the range of 60 to 2147483647, in seconds.
Examples # Configure a shared account for MAC authentication users, and set the username to abc and password to plaintext string of xyz. <Sysname> system-view [Sysname] mac-authentication user-name-format fixed account abc password simple xyz # Use MAC-based user accounts for MAC authentication users. Each MAC address must be in the hexadecimal notation with hyphens, and letters are in upper case.
Views User view Predefined user roles network-admin mdc-admin Parameters interface interface-type interface-number: Specifies a port by its type and number. mac-address mac-address: Specifies a user by its MAC address. If you do not specify this option, the command removes all users from the MAC authentication critical VSI on the port. Examples # Remove the user with MAC address 1-1-1 from the MAC authentication critical VSI on Ten-GigabitEthernet 1/0/1.
reset mac-authentication guest-vlan Use reset mac-authentication guest-vlan to remove users from the MAC authentication guest VLAN on a port. Syntax reset mac-authentication guest-vlan interface interface-type interface-number [ mac-address mac-address ] Views User view Predefined user roles network-admin mdc-admin Parameters interface interface-type interface-number: Specifies a port by its type and number. mac-address mac-address: Specifies a user by its MAC address.
Examples # Remove the user with MAC address 1-1-1 from the MAC authentication guest VSI on Ten-GigabitEthernet 1/0/1. <Sysname> reset mac-authentication guest-vsi interface ten-gigabitethernet 1/0/1 mac-address 1-1-1 Related commands display mac-authentication mac-authentication guest-vsi reset mac-authentication statistics Use reset mac-authentication statistics to clear MAC authentication statistics. Syntax reset mac-authentication statistics [ interface interface-type interface-number ] Views...
Portal commands aging-time Use aging-time to set the aging time for MAC-trigger entries. Use undo aging-time to restore the default. Syntax aging-time seconds undo aging-time Default The aging time for MAC-trigger entries is 300 seconds. Views MAC binding server view Predefined user roles network-admin mdc-admin...
authentication-timeout Use authentication-timeout to specify the authentication timeout, which is the maximum amount of time the device waits for portal authentication to complete after receiving a MAC binding query response. Use undo authentication-timeout to restore the default. Syntax authentication-timeout minutes undo authentication-timeout Default The authentication timeout time is 3 minutes.
Predefined user roles network-admin mdc-admin Parameters retries: Specifies the maximum number of MAC binding query attempts, in the range of 1 to 10. interval interval: Specifies the query interval in the range of 1 to 60 seconds. Usage guidelines If the device does not receive a response from the MAC binding server after the maximum number is reached, the device determines that the MAC binding server is unreachable.
Usage guidelines You must edit the default authentication pages, compress them to a .zip file, and then upload the file to the root directory of the storage medium of the device. After you use the default-logon-page command to specify the file, the device decompresses the file to get the authentication pages.
Page 251
Pre-auth domain: abc User-dhcp-only: Enabled Pre-auth IP pool: ab Max Portal users: Not configured Bas-ip: Not configured User detection : Type: ICMP Interval: 300s Attempts: 5 Idle time: 180s Action for server detection: Server type Server name Action Web server fail-permit Portal server fail-permit...
Page 252
Field Description Portal authentication status on the interface: • Disabled—Portal authentication is disabled. • Enabled—Portal authentication is enabled. Portal status • Authorized—The portal authentication server or portal Web server is unreachable. The interface allows users to have network access without authentication. Authentication mode enabled on the interface: •...
display portal packet statistics Use display portal packet statistics to display packet statistics for portal authentication servers. Syntax display portal packet statistics [ server server-name ] Views Any view Predefined user roles network-admin network-operator mdc-admin mdc-operator Parameters server server-name: Specifies a portal authentication server by its name, a case-sensitive string of 1 to 32 characters.
Page 256
NTF_USER_NOTIFY AFF_NTF_USER_NOTIFY Table 24 Command output Field Description Portal server Name of the portal authentication server. Invalid packets Number of invalid packets. Pkt-Type Packet type. Total Total number of packets. Drops Number of dropped packets. Errors Number of packets that carry error information. Challenge request packet the portal authentication server sent to the REQ_CHALLENGE access device.
Field Description User information notification packet the access device sent to the portal NTF_USER_NOTIFY authentication server. NTF_USER_NOTIFY acknowledgment packet the portal authentication AFF_NTF_USER_NOTIFY server sent to the access device. Related commands reset portal packet statistics display portal rule Use display portal rule to display portal filtering rules. Syntax In standalone mode: display portal rule { all | dynamic | static } { interface interface-type interface-number [ slot...
Page 258
Rule 1 Type : Static Action : Permit Protocol : Any Status : Active Source: : 0.0.0.0 Mask : 0.0.0.0 Port : Any : 0000-0000-0000 Interface : Vlan-interface100 VLAN : 100 Destination: : 192.168.0.111 Mask : 255.255.255.255 Port : Any Rule 2 Type : Dynamic...
Page 259
Source: : 0.0.0.0 Mask : 0.0.0.0 Interface : Vlan-interface100 VLAN : Any Destination: : 0.0.0.0 Mask : 0.0.0.0 IPv6 portal rules on Vlan-interface100: Rule 1 Type : Static Action : Permit Protocol : Any Status : Active Source: : :: Prefix length Port : Any...
Page 260
Protocol : TCP Destination: : :: Prefix length Port : 80 Rule 4: Type : Static Action : Deny Status : Active Source: : :: Prefix length Interface : Vlan-interface100 VLAN : 100 Destination: : :: Prefix length Author ACL: Number : 3001 Rule 5:...
Field Description Status of the portal filtering rule: • Active—The portal filtering rule is effective. Status • Unactuated—The portal filtering rule is not activated. Source Source information of the portal filtering rule. Source IP address. Mask Subnet mask of the source IPv4 address. Prefix length Prefix length of the source IPv6 address.
Usage guidelines If you do not specify the server-name argument, this command displays information about all portal authentication servers. Examples # Display information about the portal authentication server pts. <Sysname> display portal server pts Portal server: pts Type : IMC : 192.168.0.111 VPN instance : Not configured...
Page 263
Syntax display portal user { all | interface interface-type interface-number | ip ipv4-address | ipv6 ipv6-address | pre-auth [ interface interface-type interface-number | ip ipv4-address | ipv6 ipv6-address ] } [ verbose ] Views Any view Predefined user roles network-admin network-operator mdc-admin mdc-operator...
Page 264
000d-88f8-0eac 3.3.3.3 Vlan-interface200 Authorization information: DHCP IP pool: N/A User profile: N/A Session group profile: N/A ACL number: 3001 Inbound CAR: CIR 3072 bps 3072 bps (inactive) Outbound CAR: CIR 3072 bps 3072 bps (inactive) # Display information about preauthentication portal users. <Sysname>...
Page 265
Field Description MPLS L3VPN instance to which the portal user belongs. If the portal user VPN instance is on a public network, this field displays N/A. MAC address of the portal user. IP address of the portal user. VLAN VLAN where the portal user resides. Interface Access interface of the portal user.
Page 266
Basic: Current IP address: 50.50.50.3 Original IP address: 30.30.30.2 Username: user1@hrss User ID: 0x28000002 Access interface: Vlan-interface20 Service-VLAN/Customer-VLAN: -/- MAC address: 0000-0000-0001 Domain: hrss VPN instance: N/A Status: Online Portal server: test Portal authentication method: Direct AAA: Realtime accounting interval: 60s, retry times: 3 Idle cut: 180 sec, 10240 bytes, direction: Inbound Session duration: 500 sec, remaining: 300 sec Remaining traffic: 10240000 bytes...
Page 267
Field Description Public VLAN/Private VLAN to which the portal user belongs. If no VLAN is Service-VLAN/Customer-VLAN configured for the portal user, this field displays -/-. MAC address MAC address of the portal user. Domain ISP domain name for portal authentication. MPLS L3VPN instance to which the portal user belongs.
Page 268
Field Description Authorized inbound CAR: • CIR—Committed information rate in bps. • PIR—Peak information rate in bps. • active—The authorized inbound CAR is applied to the user access Inbound CAR interface successfully. • inactive—The authorized inbound CAR is not applied to the user access interface.
Field Description This field is not supported in the current software version. level-n uplink packets/bytes Packet and byte statistics of the upstream traffic at the accounting level n. The number n is in the range of 1 to 8. This field is not supported in the current software version. level-n downlink packets/bytes Packet and byte statistics of the downstream traffic at the accounting level n.
Table 29 Command output Field Description Portal Web server type. This field always displays IMC, which indicates the IMC Type server. Portal Web server Name of the portal Web server. URL of the portal Web server. URL parameters URL parameters for the portal Web server. VPN instance Name of the MPLS L3VPN where the portal Web server resides.
Page 271
Predefined user roles network-admin network-operator mdc-admin mdc-operator Parameters interface interface-type interface-number: Specifies an interface by its type and number. slot slot-number: Specifies a card by its slot number. If you do not specify a card, this command displays Web redirect rules for the active MPU. (In standalone mode.) chassis chassis-number slot slot-number: Specifies a card on an IRF member device.
Table 30 Command output Field Description Rule Number of the Web redirect rule. Type of the Web redirect rule: • Static—Static Web redirect rule, generated when the Web redirect feature takes effect. Type • Dynamic—Dynamic Web redirect rule, generated when a user visits a redirect webpage.
Page 273
Parameters original-url url-string: Specifies a URL string to match the URL in HTTP requests of a portal user. The specified URL must be a complete URL starting with http:// or https://, a case-sensitive string of 1 to 256 characters. redirect-url url-string: Specifies the URL to which the user is redirected. The specified URL must be a complete URL starting with http:// or https://, a case-sensitive string of 1 to 256 characters.
<Sysname> system-view [Sysname] portal web-server wbs [Sysname-portal-websvr-wbs] if-match user-agent 5.0(WindowsNT6.1)AppleWebKit/537.36(KHTML,likeGecko)Chrome/36.0.1985.125Safari/537.36 redirect-url http://192.168.0.1 Related commands display portal web-server portal free-rule url-parameter ip (MAC binding server view) Use ip to specify the IP address of a MAC binding server. Use undo ip to restore the default. Syntax ip ipv4-address [ vpn-instance ipv4-vpn-instance-name ] [ key { cipher | simple } string ] undo ip...
Examples # Specify the IP address of the MAC binding server as 192.168.0.111 and the plaintext key as portal. <Sysname> system-view [Sysname] portal mac-trigger-server mts [Sysname-portal-mac-trigger-server-mts] ip 192.168.0.111 key simple portal Related commands display portal mac-trigger-server ip (portal authentication server view) Use ip to specify the IP address of an IPv4 portal authentication server.
Examples # Configure the IP address of IPv4 portal authentication server pts as 192.168.0.111 and the plaintext key as portal. <Sysname> system-view [Sysname] portal server pts [Sysname-portal-server-pts] ip 192.168.0.111 key simple portal Related commands display portal server portal server ipv6 Use ipv6 to specify the IP address of an IPv6 portal authentication server.
Do not configure the same IPv6 address and MPLS L3VPN for different portal authentication servers. Examples # Configure the IP address of IPv6 portal authentication server pts as 2000::1 and the plaintext key as portal. <Sysname> system-view [Sysname] portal server pts [Sysname-portal-server-pts] ipv6 2000::1 key simple portal Related commands display portal server...
port (MAC binding server view) Use port to set the UDP port number the MAC binding server uses to listen for MAC binding query packets. Use undo port to restore the default. Syntax port port-number undo port Default The MAC binding server listens for MAC binding query packets on UDP port 50100. Views MAC binding server view Predefined user roles...
Predefined user roles network-admin mdc-admin Parameters port-number: Specifies a destination UDP port number the device uses to send unsolicited portal packets to the portal authentication server. The value range for this argument is 1 to 65534. Usage guidelines The specified port must be the port that listens to portal packets on the portal authentication server. Examples # Set the destination UDP port number to 50000 for the device to send unsolicited portal packets to portal authentication server pts.
ipv6-address: Specifies BAS-IPv6 for portal packets sent to the portal authentication server. This attribute must be the IPv6 address of an interface on the device. It cannot be a multicast address, an all-0 address, or a link-local address. Usage guidelines If the device runs Portal 2.0, unsolicited portal packets (such as a logout notification packet) sent to the portal authentication server must carry the BAS-IP attribute.
Usage guidelines If the specified maximum number is smaller than the number of current online portal users on the interface, the limit can be set successfully. The limit does not impact the online portal users. However, the device does not allow new portal users to log in from the interface until the number drops down below the limit.
Related commands portal mac-trigger-server portal apply web-server (interface view) Use portal [ ipv6 ] apply web-server to specify a portal Web server. The device redirects the HTTP requests sent by unauthenticated portal users to the portal Web server. Use undo portal [ ipv6 ] apply web-server to restore the default. Syntax portal [ ipv6 ] apply web-server server-name [ fail-permit ] undo portal [ ipv6 ] apply web-server...
mdc-admin Parameters ipv4-address: Specifies the IP address of an IPv4 online portal user. all: Specifies IPv4 and IPv6 online portal users on all interfaces. interface interface-type interface-number: Specifies an interface by its type and number. If you specify this option, this command logs out all IPv4 and IPv6 online portal users on the interface. ipv6 ipv6-address: Specifies the IP address of an IPv6 online portal user.
portal domain (interface view) Use portal [ ipv6 ] domain to specify a portal authentication domain on an interface. All portal users accessing through the interface must use the authentication domain. Use undo portal [ ipv6 ] domain to delete the configured portal authentication domain. Syntax portal [ ipv6 ] domain domain-name undo portal [ ipv6 ] domain...
Views Interface view Predefined user roles network-admin mdc-admin Parameters ipv6: Specifies an IPv6 portal authentication server. Do not specify this keyword for an IPv4 portal authentication server. server-name: Specifies a portal authentication server by its name, a case-sensitive string of 1 to 32 characters.
mdc-admin Parameters ipv4-network-address: Specifies an IPv4 portal authentication subnet address. mask-length: Specifies the subnet mask length for the authentication subnet address, in the range of 0 to 32. mask: Specifies the subnet mask in dotted decimal format. Usage guidelines Portal users on the interface are authenticated when accessing the specified authentication destination subnet (except IP addresses and subnets specified in portal-free rules).
Page 289
Predefined user roles network-admin mdc-admin Parameters rule-number: Specifies a portal-free rule number. The value range for this argument is 0 to 4294967295. destination: Specifies the destination information. source: Specifies the source information. ip ipv4-address: Specifies an IPv4 address for the portal-free rule. { mask-length | mask }: Specifies the subnet mask of the IPv4 address.
• Specify the source IP address as 2000::1/64, the destination IP address as 2001::1, and the destination TCP port number as 23. • Specify the interface as VLAN-interface 1. <Sysname> system-view [Sysname] portal free-rule 2 destination ipv6 2001::1 128 tcp 23 source ip 2000::1 64 interface vlan-interface 1 With this rule, users in subnet 2000::1/64 do not need to pass portal authentication on VLAN-interface 1 when they access services provided on TCP port 23 of host 2001::1.
The configured host name cannot contain only asterisks (*). The fuzzy match feature takes effect only on HTTP or HTTPS requests initiated by Web browsers. You cannot configure two destination-based portal-free rules with the same destination information. Otherwise the system prompts you that the same rule already exists. Examples # Configure a destination-based portal-free rule: specify the rule number as 4 and host name as www.abc.com.
Examples # Configure source-based portal-free rule: specify the rule number as 3, source MAC address as 1-1-1, and source VLAN ID as 10. This rule allows the portal user whose source MAC address is 1-1-1 from VLAN 10 to access network resources without authentication. <Sysname>...
If firewall policies on the access device filter out ICMPv6 packets, ICMPv6 detection might fail and result in the logout of portal users. Make sure the access device does not block ICMPv6 packets before you enable ICMPv6 detection on an interface. Examples # Enable online detection of IPv6 portal users on VLAN-interface 100.
Examples # Configure an IPv4 portal authentication source subnet of 10.10.10.0/24 on VLAN-interface 2. <Sysname> system-view [Sysname] interface vlan-interface 2 [Sysname–Vlan-interface2] portal layer3 source 10.10.10.0 24 Related commands display portal portal free-all except destination portal local-web-server Use portal local-web-server to create an HTTP- or HTTPS-based local portal Web service and enter its view, or enter the view of the existing HTTP- or HTTPS-based local portal Web service.
To specify a new SSL server policy for HTTPS, first execute the undo form of this command to delete the existing HTTPS-based local portal Web service. When you specify the listening TCP port number for the HTTPS-based local portal Web service, follow these restrictions and guidelines: •...
Default Portal user login and logout logging is disabled. Views System view Predefined user roles network-admin mdc-admin Usage guidelines This feature logs information about portal user login and logout events, including the username, IP address, user's MAC address, interface name, VLAN, and reason for login failure. For portal log messages to be sent correctly, you must also configure the information center on the device.
[Sysname-portal-mac-trigger-server-mts] Related commands display portal mac-trigger-server portal apply mac-trigger-server portal max-user Use portal max-user to set the maximum number of total portal users allowed in the system. Use undo portal max-user to restore the default. Syntax portal max-user max-number undo portal max-user Default The total number of portal users allowed in the system is not limited.
Syntax portal nas-id-profile profile-name undo portal nas-id-profile Default No NAS-ID profile is specified for an interface. Views Interface view Predefined user roles network-admin mdc-admin Parameters profile-name: Specifies the name of a NAS-ID profile, a case-insensitive string of 1 to 31 characters. Usage guidelines A NAS-ID profile defines the binding relationship between VLANs and NAS-IDs.
Page 301
Predefined user roles network-admin mdc-admin Parameters 1: Uses format 1 for the NAS-Port-Id attribute. 2: Uses format 2 for the NAS-Port-Id attribute. 3: Uses format 3 for the NAS-Port-Id attribute. 4: Uses format 4 for the NAS-Port-Id attribute. Usage guidelines The NAS-Port-Id format supported by RADIUS servers varies by vendor.
Page 302
Identifier description of the access node, a string not AccessNodeIdentifier longer than 50 characters without spaces. ANI_frame Frame number of the access node, in the range of 0 to 31. ANI_slot Slot number of the access node, in the range of 0 to 127. Subslot number of the access node, in the range of 0 to ANI_subslot ANI_port...
Format 2 is SlotID00IfNOVlanID. • SlotID—Slot number, a string of 2 characters. • IfNO—Slot number, a string of 3 characters. • VlanID—VLAN ID, a string of 9 characters. Format 3 is SlotID00IfNOVlanIDDHCPoption. • SlotID—Slot number, a string of 2 characters. •...
Other outgoing packets on the interface are dropped. Examples # Enable outgoing packets filtering on VLAN-interface 20. <Sysname> system-view [Sysname] interface vlan-interface 20 [Sysname–Vlan-interface20] portal outbound-filter enable portal pre-auth domain Use portal [ ipv6 ] pre-auth domain to specify a preauthentication domain for portal users. Use undo portal [ ipv6 ] pre-auth domain to restore the default.
• You create the ISP domain after specifying it as the preauthentication domain. • You delete the specified ISP domain and then re-create it. If you change the preauthentication domain on an interface, the interface uses the new preauthentication domain for both new and existing preauthentication users. If authorization attributes in the preauthentication domain are modified, the modified attributes take effect only on new preauthentication users.
Usage guidelines You must use this command to specify a preauthentication IP address pool on a portal-enabled interface in the following situation: • Portal users access the network through a subinterface of the portal-enabled interface. • The subinterface does not have an IP address. •...
Usage guidelines When the Rule ARP or ND entry feature is enabled for portal clients, ARP or ND entries for portal clients are Rule entries after the clients come online. The Rule ARP or ND entries will not age out and will be deleted immediately after the portal clients go offline.
portal server Use portal server to create a portal authentication server and enter its view, or enter the view of an existing portal authentication server. Use undo portal server to delete the specified portal authentication server. Syntax portal server server-name undo portal server server-name Default No portal authentication servers exist.
Page 309
undo portal user-detect Default Online detection of IPv4 portal users is disabled. Views Interface view Predefined user roles network-admin mdc-admin Parameters type: Specifies the detection type. • arp—ARP detection. • icmp—ICMP detection. retry retries: Specifies the maximum number of detection attempts, in the range of 1 to 10. The default value is 3.
[Sysname–Vlan-interface100] portal user-detect type arp retry 5 interval 10 idle 300 Related commands display portal portal user-dhcp-only (interface view) Use portal user-dhcp-only to allow only users with DHCP-assigned IP addresses to pass portal authentication. Use undo portal user-dhcp-only to restore the default. Syntax portal [ ipv6 ] user-dhcp-only undo portal [ ipv6 ] user-dhcp-only...
undo portal web-proxy port { port-number | all } Default No port numbers of Web proxy servers are specified. Proxied HTTP requests are dropped. Views System view Predefined user roles network-admin mdc-admin Parameters port-number: Specifies the port number of a Web proxy server. The value range for this argument is 1 to 65535.
Default No portal Web servers exist. Views System view Predefined user roles network-admin mdc-admin Parameters server-name: Specifies a portal Web server by its name, a case-sensitive string of 1 to 32 characters. Usage guidelines The portal Web server pushes portal authentication pages to portal users during authentication. The access device redirects HTTP requests of unauthenticated portal users to the portal Web server.
Related commands display portal packet statistics server-detect (portal authentication server view) Use server-detect to enable portal authentication server detection. After server detection is enabled for a portal authentication server, the device periodically detects portal packets from the server to identify its reachability status. Use undo server-detect to disable portal authentication server detection.
[Sysname] portal server pts [Sysname-portal-server-pts] server-detect timeout 600 log Related commands portal server server-detect (portal Web server view) Use server-detect to enable portal Web server detection. Use undo server-detect to disable portal Web server detection. Syntax server-detect [ interval interval ] [ retry retries ] { log | trap } * undo server-detect Default Portal Web server detection is disabled.
Related commands portal web-server server-type Use server-type to specify the type of a portal authentication server or portal Web server. Use undo server-type to restore the default. Syntax server-type imc undo server-type Default The type of the portal authentication server and portal Web server is IMC. Views Portal authentication server view Portal Web server view...
Default The type of the MAC binding server is IMC. Views MAC binding server view Predefined user roles network-admin mdc-admin Parameters imc: Specifies the MAC binding server type as IMC. Examples # Specify the type of MAC binding server as imc. <Sysname>...
Page 317
• Do not configure the HTTPS listening port number as the default HTTP listening port number • Do not configure the same listening port number for HTTP and HTTPS. • For the HTTPS-based local portal Web service and other services that use HTTPS: If they use the same SSL server policy, they can use the same TCP port number to listen to ...
[Sysname-portal-websvr-wbs] url http://www.test.com/portal Related commands display portal web-server url-parameter Use url-parameter to configure the parameters carried in the URL of a portal Web server. The access device redirects a portal user by sending the URL with the parameters to the user. Use undo url-parameter to delete the parameters carried in the URL of the portal Web server.
Usage guidelines You can configure multiple URL parameters. If you execute this command multiple times to configure the same URL parameter, the most recent configuration takes effect. After you configure the URL parameters, the access device sends the portal Web server URL with these parameters to portal users.
undo user-sync Default Portal user synchronization is disabled for a portal authentication server. Views Portal authentication server view Predefined user roles network-admin mdc-admin Parameters timeout timeout: Specifies a detection timeout for synchronization packets, in the range of 60 to 18000 seconds. Usage guidelines After this feature is enabled, the device replies to and periodically detects the synchronization packets from the portal authentication server.
undo version Default The version of the portal protocol is 1. Views MAC binding server view Predefined user roles network-admin mdc-admin Parameters version-number: Specifies the portal protocol version in the range of 1 to 3. Usage guidelines The specified portal protocol version must be the that required by the MAC binding server. Examples # Configure the device to use portal protocol version 2 to communicate with MAC binding server mts.
Usage guidelines A portal Web server belongs to only one MPLS L3VPN instance. Examples # Specify MPLS L3VPN instance abc for portal Web server wbs. <Sysname> system-view [Sysname] portal web-server wbs [Sysname-portal-websvr-wbs] vpn-instance abc web-redirect url Use web-redirect url to enable the Web redirect feature. Use undo web-redirect url to disable the Web redirect feature.
Port security commands display port-security Use display port-security to display port security configuration, operation information, and statistics for ports. Syntax display port-security [ interface interface-type interface-number ] Views Any view Predefined user roles network-admin network-operator mdc-admin mdc-operator Parameters interface interface-type interface-number: Specifies a port by its type and number. If you do not specify a port, this command displays port security information for all ports.
Page 324
Security MAC address attribute Learning mode : Sticky Aging type : Periodical Max secure MAC addresses : 32 Current secure MAC addresses Authorization : Permitted NAS-ID profile : Not configured Free VLANs : Not configured Open authentication : Disabled Table 31 Command output Field Description Port security...
Page 325
Field Description Port security mode: • noRestrictions. • autoLearn. • macAddressWithRadius. • macAddressElseUserLoginSecure. • macAddressElseUserLoginSecureExt. • secure. • Port mode userLogin. • userLoginSecure. • userLoginSecureExt. • macAddressOrUserLoginSecure. • macAddressOrUserLoginSecureExt. • userLoginWithOUI. For more information about port security modes, see Security Configuration Guide.
Field Description VLANs in which packets will not trigger authentication. Free VLANs If you do not configure free VLANs, this field displays Not configured. Open authentication Whether open authentication mode is enabled on the port. display port-security mac-address block Use display port-security mac-address block to display information about blocked MAC addresses.
Table 32 Command output Field Description MAC ADDR Blocked MAC address. Port having received frames with the blocked MAC Port address being the source address. VLAN ID ID of the VLAN to which the port belongs. number mac address(es) found Number of blocked MAC addresses.
--- Number of secure MAC addresses: 1 --- Table 33 Command output Field Description MAC ADDR Secure MAC address. VLAN ID ID of the VLAN to which the port belongs. Type of the MAC address. This field displays Secure for a secure STATE MAC address.
Usage guidelines As a best practice, disable this feature to prevent excessive output of logs for port security users. If you do not specify any parameters, this command enables all logging functions for port security users. Examples # Enable logging for intrusion protection. <Sysname>...
Examples # Enable open authentication mode on Ten-GigabitEthernet 1/0/1. <Sysname> system-view [Sysname] interface ten-gigabitethernet 1/0/1 [Sysname-Ten-GigabitEthernet1/0/1] port-security authentication open Related commands display dot1x connection display mac-authentication connection port-security authentication open global port-security authentication open global Use port-security authentication open global to enable global open authentication mode. Use undo port-security authentication open global to disable global open authentication mode.
Related commands display dot1x connection display mac-authentication connection port-security authentication open port-security authorization ignore Use port-security authorization ignore to configure a port to ignore the authorization information received from the authentication server (a RADIUS server or the local device). Use undo port-security authorization ignore to restore the default. Syntax port-security authorization ignore undo port-security authorization ignore...
Default The authorization-fail-offline feature is disabled. The device does not log off users that fail authorization. Views System view Predefined user roles network-admin mdc-admin Parameters quiet-period: Enables the quiet timer for 802.1X or MAC authentication users that are logged off by the authorization-fail-offline feature.
undo port-security enable Default Port security is disabled. Views System view Predefined user roles network-admin mdc-admin Usage guidelines You must disable global 802.1X and MAC authentication before you enable port security on a port. Enabling or disabling port security resets the following security settings to the default: •...
mdc-admin Parameters vlan-id-list: Specifies a space-separated list of up to 10 VLAN items. Each VLAN item specifies a VLAN by VLAN ID or specifies a range of VLANs in the form of start-vlan-id to end-vlan-id. The value range for VLAN IDs is 1 to 4094. The end VLAN ID must be equal to or greater than the start VLAN Usage guidelines This command allows packets from the specified VLANs to not trigger 802.1X or MAC authentication on a port configured with any of the following features:...
Predefined user roles network-admin mdc-admin Parameters blockmac: Adds the source MAC addresses of illegal frames to the blocked MAC address list and discards frames with blocked source MAC addresses. This action implements illegal traffic filtering on the port. A blocked MAC address is restored to normal after being blocked for 3 minutes, which is not user configurable.
Usage guidelines This command enables the device to periodically detect traffic data from secure MAC addresses. If only the aging timer is configured, the aging timer counts up regardless of whether traffic data has been sent from the secure MAC addresses. When you use the aging timer together with the inactivity aging feature, the aging timer restarts once traffic data is detected from the secure MAC addresses.
lost at reboot. Use this command when you want to clear all sticky MAC addresses after a device reboot. You can display dynamic secure MAC addresses by using the display port-security mac-address security command. The undo port-security mac-address dynamic command converts all dynamic secure MAC addresses on the port to sticky MAC addresses.
Page 338
vlan vlan-id: Specifies the VLAN to which the secure MAC address belongs. The value range for the vlan-id argument is 1 to 4094. Usage guidelines Secure MAC addresses are MAC addresses configured or learned in autoLearn mode, and if saved, can survive a device reboot.
port-security mac-limit Use port-security mac-limit to set the maximum number of MAC addresses that port security allows for specific VLANs on a port. Use undo port-security mac-limit to restore the default. Syntax port-security mac-limit max-number per-vlan vlan-id-list undo port-security mac-limit per-vlan vlan-id-list Default The maximum number is 2147483647.
Related commands display dot1x display mac-authentication port-security mac-move permit Use port-security mac-move permit to enable MAC move on the device. Use undo port-security mac-move permit to disable MAC move on the device. Syntax port-security mac-move permit undo port-security mac-move permit Default MAC move is disabled on the device.
Page 341
Default Port security does not limit the number of secure MAC addresses on a port. Views Layer 2 Ethernet interface view Layer 2 aggregate interface view Predefined user roles network-admin mdc-admin Parameters max-count: Specifies the maximum number of secure MAC addresses that port security allows on the port.
port-security nas-id-profile Use port-security nas-id-profile to apply a NAS-ID profile to global or port-based port security. Use undo port-security nas-id-profile to restore the default. Syntax port-security nas-id-profile profile-name undo port-security nas-id-profile Default No NAS-ID profile is applied to port security globally or on any port. Views System view Layer 2 Ethernet interface view...
Syntax port-security ntk-mode { ntk-withbroadcasts | ntk-withmulticasts | ntkonly } undo port-security ntk-mode Default The NTK feature is not configured on a port and all frames are allowed to be sent. Views Layer 2 Ethernet interface view Layer 2 aggregate interface view Predefined user roles network-admin mdc-admin...
Predefined user roles network-admin mdc-admin Parameters index-value: Specifies the OUI index, in the range of 1 to 16. oui-value: Specifies an OUI string, a 48-bit MAC address in the H-H-H format. The system uses only the 24 high-order bits as the OUI value. Usage guidelines You can configure multiple OUI values.
Page 345
Parameters Keyword Security mode Description A port in this mode can learn MAC addresses. The automatically learned MAC addresses are not added to the MAC address table as dynamic MAC address. Instead, the MAC addresses are added to the secure MAC address table as secure MAC addresses.
Page 346
Keyword Security mode Description This mode is the combination of the userLoginSecure and macAddressWithRadius modes. In this mode, the port allows one 802.1X authentication user and multiple MAC authentication users to log in. In this mode, the port performs 802.1X authentication first.
When a short aging time (less than 60 seconds) works with inactivity aging, do not assign a large value to the maximum number of secure MAC addresses on a port. A large value in this case might affect device performance. Examples # Set the secure MAC aging timer to 30 minutes.
Password control commands The device supports the FIPS mode that complies with NIST FIPS 140-2 requirements. Support for features, commands, and parameters might differ in FIPS mode and non-FIPS mode. For more information about FIPS mode, see Security Configuration Guide. display password-control Use display password-control to display password control configuration.
Table 34 Command output Field Description Password control Whether the password control feature is enabled. Whether password expiration is enabled and, if enabled, the aging Password aging time. Whether the minimum password length restriction feature is enabled Password length and, if enabled, the setting. Whether the password composition restriction feature is enabled Password composition and, if enabled, the settings.
ipv6 ipv6-address: Specifies the IPv6 address of a user. Usage guidelines If you do not specify any parameters, this command displays information about all users in the password control blacklist. The users' IP addresses and user accounts are added to the password control blacklist when the users fail authentication.
Predefined user roles network-admin mdc-admin Parameters aging: Enables the password expiration feature. composition: Enables the password composition restriction feature. history: Enables the password history feature. length: Enables the minimum password length restriction feature. Usage guidelines For a specific password control feature to take effect, make sure the global password control and the specific password control feature are both enabled.
Page 355
undo password-control aging Default A password expires after 90 days. The password aging time for a user group equals the global setting. The password aging time for a local user equals that of the user group to which the local user belongs.
password-control alert-before-expire Use password-control alert-before-expire to set the number of days before a user's password expires during which the user is notified of the pending password expiration. Use undo password-control alert-before-expire to restore the default. Syntax password-control alert-before-expire alert-time undo password-control alert-before-expire Default The default is 7 days.
Views System view User group view Local user view Predefined user roles network-admin mdc-admin Parameters same-character: Refuses a password that contains any character appearing consecutively three or more times. For example, the password aaabc is not complex enough. user-name: Refuses a password that contains the username or the reverse of the username. For example, if the username is 123, a password such as abc123 or 321df is not complex enough.
Page 358
The password using the global composition policy must contain a minimum of one character type and a minimum of one character for each type. In FIPS mode: The password using the global composition policy must contain a minimum of four character types and a minimum of one character for each type.
# Specify that the password of device management user abc must contain a minimum of four character types and a minimum of five characters for each type. [Sysname] local-user abc class manage [Sysname-luser-manage-abc] password-control composition type-number 4 type-length 5 Related commands display local-user display password-control display user-group...
password-control expired-user-login Use password-control expired-user-login to set the maximum number of days and maximum number of times that a user can log in after the password expires. Use undo password-control expired-user-login to restore the defaults. Syntax password-control expired-user-login delay delay times times undo password-control expired-user-login Default A user can log in three times within 30 days after the password expires.
Predefined user roles network-admin mdc-admin Parameters max-record-number: Specifies the maximum number of history password records for each user. The value range is 2 to 15. Usage guidelines When the number of history password records reaches the maximum number, the subsequent history record overwrites the earliest one.
Local user view Predefined user roles network-admin mdc-admin Parameters length: Specifies the minimum password length in characters. The value range for this argument is 4 to 32 in non-FIPS mode, and 15 to 32 in FIPS mode. Usage guidelines The minimum length setting depends on the view: •...
Default The maximum account idle time is 90 days. Views System view Predefined user roles network-admin mdc-admin Parameters idle-time: Specifies the maximum account idle time in days. The value range is 0 to 365. 0 means no restriction for account idle time. Usage guidelines If a user account is idle for this period of time, the account becomes invalid and can no longer be used to log in to the device.
Page 364
mdc-admin Parameters login-times: Specifies the maximum number of consecutive login failures. The value range is 2 to 10. exceed: Specifies an action to be taken for the user who fails to log in after making the maximum number of attempts. •...
# Display the password control blacklist. The output shows that the user account is on the blacklist, and its status is lock. [Sysname] display password-control blacklist Username: test IP: 192.168.44.1 Login failures: 4 Lock flag: lock Blacklist items matched: 1. # Verify that the user at 192.168.44.1 cannot use this user account to log in.
mdc-admin Parameters aging-time: Specifies the super password aging time in days, in the range of 1 to 365. Examples # Set the super passwords to expire after 10 days. <Sysname> system-view [Sysname] password-control super aging 10 Related commands display password-control password-control aging password-control super composition Use password-control super composition to configure the composition policy for super...
Examples # Specify that a super password must contain a minimum of four character types and a minimum of five characters for each type. <Sysname> system-view [Sysname] password-control super composition type-number 4 type-length 5 Related commands display password-control password-control composition password-control super length Use password-control super length to set the minimum length for super passwords.
Syntax password-control update-interval interval undo password-control update-interval Default The minimum password update interval is 24 hours. Views System view Predefined user roles network-admin mdc-admin Parameters interval: Specifies the minimum password update interval in hours, in the range of 0 to 168. 0 means no requirements for password update interval.
<Sysname> reset password-control blacklist user-name test Are you sure to delete the specified user in blacklist? [Y/N]: Related commands display password-control blacklist reset password-control history-record Use reset password-control history-record to delete history password records. Syntax reset password-control history-record [ super [ role role-name ] | user-name user-name ] Views User view Predefined user roles...
Keychain commands accept-lifetime utc Use accept-lifetime utc to set the receiving lifetime for a key of a keychain in absolute time mode. Use undo accept-lifetime to restore the default. Syntax accept-lifetime utc start-time start-date { duration { duration-value | infinite } | to end-time end-date } undo accept-lifetime Default...
<Sysname> system-view [Sysname] keychain abc mode absolute [Sysname-keychain-abc] key 1 [Sysname-keychain-abc-key-1] accept-lifetime utc 12:30 2015/1/21 to 18:30 2015/1/21 accept-tolerance Use accept-tolerance to set a tolerance time for accept keys in a keychain. Use undo accept-tolerance to restore the default. Syntax accept-tolerance { value | infinite } undo accept-tolerance Default...
undo authentication-algorithm Default No authentication algorithm is specified for a key. Views Key view Predefined user roles network-admin mdc-admin Parameters hmac-md5: Specifies the HMAC-MD5 authentication algorithm. hmac-sha-256: Specifies the HMAC-SHA-256 authentication algorithm. md5: Specifies the MD5 authentication algorithm. Usage guidelines If an application does not support the authentication algorithm specified for a key, the application cannot use the key for packet authentication.
Parameters key-id: Specifies a key ID in the range of 0 to 281474976710655. Usage guidelines The keys in a keychain must have different key IDs. Examples # Create key 1 and enter its view. <Sysname> system-view [Sysname] keychain abc mode absolute [Sysname-keychain-abc] key 1 [Sysname-keychain-abc-key-1] keychain...
key-string Use key-string to configure a key string for a key. Use undo key-string to restore the default. Syntax key-string { cipher | plain } string undo key-string Default No key string is configured for a key. Views Key view Predefined user roles network-admin mdc-admin...
Predefined user roles network-admin mdc-admin Parameters start-time: Specifies the start time in the HH:MM:SS format. The value range for this argument is 0:0:0 to 23:59:59. start-date: Specifies the start date in the MM/DD/YYYY or YYYY/MM/DD format. The value range for YYYY is 2000 to 2035.
mdc-admin Parameters hmac-md5: Specifies the HMAC-MD5 authentication algorithm, which provides a key length of 16 bytes. md5: Specifies the MD5 authentication algorithm, which provides a key length of 16 bytes. algorithm-id: Specifies an algorithm ID in the range of 1 to 63. Usage guidelines If an application uses keychain authentication during TCP connection establishment, the incoming and outgoing TCP packets will carry the TCP Enhanced Authentication Option.
Public key management commands The device supports the FIPS mode that complies with NIST FIPS 140-2 requirements. Support for features, commands, and parameters might differ in FIPS mode and non-FIPS mode. For more information about FIPS mode, see Security Configuration Guide. display public-key local public Use display public-key local public to display local public keys.
Key code: 308201B83082012C06072A8648CE3804013082011F02818100D757262C4584C44C211F18BD 96E5F061C4F0A423F7FE6B6B85B34CEF72CE14A0D3A5222FE08CECE65BE6C265854889DC1E DBD13EC8B274DA9F75BA26CCB987723602787E922BA84421F22C3C89CB9B06FD60FE01941D DD77FE6B12893DA76EEBC1D128D97F0678D7722B5341C8506F358214B16A2FAC4B36895038 7811C7DA33021500C773218C737EC8EE993B4F2DED30F48EDACE915F0281810082269009E1 4EC474BAF2932E69D3B1F18517AD9594184CCDFCEAE96EC4D5EF93133E84B47093C52B20CD 35D02492B3959EC6499625BC4FA5082E22C5B374E16DD00132CE71B020217091AC717B6123 91C76C1FB2E88317C1BD8171D41ECB83E210C03CC9B32E810561C21621C73D6DAAC028F4B1 585DA7F42519718CC9B09EEF0381850002818100A1E456C8DA2AD1BB83B1BDF2A1A6B5A6E8 3642B460402445DA7E4036715F468F76655E114D460B7112F57143EE020AEF4A5BFAD07B74 0FBCB1C64DA8A2BCE619283421445EEC77D3CF0D11866E9656AD6511F4926F8376967B0AB7 15F9FB7B514BC1174155DD6E073B1FCB3A2749E6C5FEA81003E16729497D0EAD9105E3E76A # Display the public key of the local ECDSA key pair ecdsa1. <Sysname> display public-key local ecdsa public name ecdsa1 ============================================= Key name: ecdsa1 Key type: ECDSA Time when key pair created: 15:43:33 2011/05/12 Key code: 3049301306072A8648CE3D020106082A8648CE3D03010103320004A1FB84D92315B8DB72D1...
Page 384
Syntax display public-key peer [ brief | name publickey-name ] Views Any view Predefined user roles network-admin network-operator mdc-admin mdc-operator Parameters brief: Displays brief information about all peer host public keys. The brief information includes only the key type, key modulus, and key name. name publickey-name: Displays detailed information about a peer host public key, including its key code.
Type Modulus Name --------------------------- 1024 idrsa 1024 10.1.1.1 Table 39 Command output Field Description Type Key type: RSA, DSA or ECDSA. Modulus Key modulus length in bits. Name Name of the peer host public key. Related commands public-key peer public-key peer import sshkey peer-public-key end Use peer-public-key end to exit public key view to system view and save the configured peer host public key.
[Sysname-pkey-public-key-key1]0001 [Sysname-pkey-public-key-key1] peer-public-key end [Sysname] Related commands display public-key local public display public-key peer public-key peer public-key local create Use public-key local create to create local key pairs. Syntax In non-FIPS mode: public-key local create { dsa | ecdsa [ secp192r1 | secp256r1 | secp384r1 | secp521r1 ] | rsa } [ name key-name ] In FIPS mode: public-key local create { dsa | ecdsa [ secp256r1 | secp384r1 | secp521r1 ] | rsa } [ name...
Page 387
Type Default name dsakey ecdsakey ECDSA Usage guidelines The key algorithm must be the same as required by the security application. When you create an RSA or DSA key pair, enter an appropriate key modulus length at the prompt. The longer the key modulus length, the higher the security, and the longer the key generation time. When you create an ECDSA key pair, choose the appropriate elliptic curve.
Page 388
...++++++ .++++++ ..++++++++ ..++++++++ Create the key pair successfully. # Create a local DSA key pair with the default name. <Sysname> system-view [Sysname] public-key local create dsa The range of public key modulus is (512 ~ 2048). If the key modulus is greater than 512, it will take a few minutes. Press CTRL+C to abort.
..+..+....+.....+...+..+....+..+..+....+..+...+..+..+..+....+..+......+..+..+....+..+...+......+..+..+...+..+..+.......+++++++++++++++++++++++++++++++++++++++++++++++++++* Create the key pair successfully. # Create a local ECDSA key pair with the name ecdsa1. <Sysname> system-view [Sysname] public-key local create ecdsa name ecdsa1 Generating Keys... Create the key pair successfully. # In FIPS mode, create a local RSA key pair with the default name. <Sysname>...
Page 390
Views System view Predefined user roles network-admin mdc-admin Parameters dsa: Specifies the DSA key pair type. ecdsa: Specifies the ECDSA key pair type. rsa: Specifies the RSA key pair type. name key-name: Specifies a local key pair by its name, a case-insensitive string of 1 to 64 characters.
Related commands public-key local create public-key local export dsa Use public-key local export dsa to export a local DSA host public key. Syntax public-key local export dsa [ name key-name ] { openssh | ssh2 } [ filename ] Views System view Predefined user roles network-admin...
Page 392
<Sysname> system-view [Sysname] public-key local export dsa ssh2 ---- BEGIN SSH2 PUBLIC KEY ---- Comment: "dsa-key-2011/05/12" AAAAB3NzaC1kc3MAAACBANdXJixFhMRMIR8YvZbl8GHE8KQj9/5ra4WzTO9yzhSg06UiL+CM7OZb5sJlhUiJ3 B7b0T7IsnTan3W6Jsy5h3I2Anh+kiuoRCHyLDyJy5sG/WD+AZQd3Xf+axKJPadu68HRKNl/BnjXcitTQchQbz WCFLFqL6xLNolQOHgRx9ozAAAAFQDHcyGMc37I7pk7Ty3tMPSO2s6RXwAAAIEAgiaQCeFOxHS68pMuadOx8YU XrZWUGEzN/OrpbsTV75MTPoS0cJPFKyDNNdAkkrOVnsZJliW8T6UILiLFs3ThbdABMs5xsCAhcJGscXthI5HH bB+y6IMXwb2BcdQey4PiEMA8ybMugQVhwhYhxz1tqsAo9LFYXaf0JRlxjMmwnu8AAACAQZEs400SvNIVfnqxw vA7PvOVEA89tKni/f6GDBvWY9Z2Q499pAqUBtYcqQea8T4zBInxx2eF3lLaZJrIvAS205zXxSzQoU9190kakd MdasIjQLWYGyepFc3sTwmIflQeweUwLVAPaOesKaCERjxg+e4maYWlAvySGT4c9NJlxLo= ---- END SSH2 PUBLIC KEY ---- # Display the host public key of the local DSA key pair with the default name in OpenSSH format. <Sysname>...
Related commands public-key local create public-key peer import sshkey public-key local export ecdsa Use public-key local export ecdsa to export a local ECDSA host public key. Syntax public-key local export ecdsa [ name key-keyname ] { openssh | ssh2 } [ filename ] Views System view Predefined user roles...
<Sysname> system-view [Sysname] public-key local export ecdsa openssh key.pub # Display the host public key of the local ECDSA key pair with the default name in SSH 2.0 format. <Sysname> system-view [Sysname] public-key local export ecdsa ssh2 ---- BEGIN SSH2 PUBLIC KEY ---- Comment: "ecdsa-sha2-nistp256-2014/07/06"...
Page 395
For more information about file names, see Fundamentals Configuration Guide. If you do not specify a file name, this command displays the key on the monitor screen. Usage guidelines You can use this command to export a local RSA host public key before distributing it to a peer device.
AAAAB3NzaC1yc2EAAAADAQABAAAAgQDevEbyF93xHUJucJWqRc1r8fhzQ9lSVprCI6ATZeDYyR1J00fBQ8XY+ q2olqoagn5YDyUC8ZJvUhlyMOHeORpkAVxD3XncTp4XG66h3rTHHa7Xmm7f1GDYlF0n05t8mCLVaupbfCzP8b a8UkrUmMO4fUvW6zavA5LYxtlAiQv0KQ== ---- END SSH2 PUBLIC KEY ---- # Display the host public key of the local RSA key pair rsa1 in OpenSSH format. <Sysname> system-view [Sysname] public-key local export rsa name rsa1 openssh ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAAAgQDevEbyF93xHUJucJWqRc1r8fhzQ9lSVprCI6ATZeDYyR1J00fBQ8XY+ q2olqoagn5YDyUC8ZJvUhlyMOHeORpkAVxD3XncTp4XG66h3rTHHa7Xmm7f1GDYlF0n05t8mCLVaupbfCzP8b a8UkrUmMO4fUvW6zavA5LYxtlAiQv0KQ== rsa-key Related commands public-key local create public-key peer import sshkey...
<Sysname> system-view [Sysname] public-key peer key1 Enter public key view. Return to system view with "peer-public-key end" command. [Sysname-pkey-public-key-key1] Related commands display public-key local public display public-key peer peer-public-key end public-key peer import sshkey Use public-key peer import sshkey to import a peer host public key from a public key file. Use undo public-key peer to remove a peer host public key.
Page 398
Related commands display public-key peer public-key local export dsa public-key local export ecdsa public-key local export rsa...
PKI commands The device supports the FIPS mode that complies with NIST FIPS 140-2 requirements. Support for features, commands, and parameters might differ in FIPS mode and non-FIPS mode. For more information about FIPS mode, see Security Configuration Guide. attribute Use attribute to configure a rule to filter certificates based on an attribute in the certificate issuer name, subject name, or alternative subject name field.
An attribute rule is a combination of an attribute-value pair with an operation keyword, as listed in Table Table 42 Combinations of attribute-value pairs and operation keywords Operation FQDN/IP The DN contains the specified Any FQDN or IP address contains the specified attribute attribute value.
Views PKI domain view Predefined user roles network-admin mdc-admin Parameters name: Specifies the trusted CA by its name, a case-sensitive string of 1 to 63 characters. Usage guidelines To obtain a CA certificate in a PKI domain, you must specify the trusted CA name. The trusted CA name uniquely identifies the CA to be used if multiple CAs exist on the CA server specified for the PKI domain.
• State and country where the entity resides. • FQDN. • IP address. You can specify only one PKI entity for a PKI domain. If you execute this command multiple times, the most recent configuration takes effect. Examples # Specify PKI entity en1 for certificate request in PKI domain aaa. <Sysname>...
Page 403
Use undo certificate request mode to restore the default. Syntax certificate request mode { auto [ password { cipher | simple } string ] | manual } undo certificate request mode Default The certificate request mode is manual. Views PKI domain view Predefined user roles network-admin mdc-admin...
certificate request polling Use certificate request polling to set the polling interval and the maximum number of attempts to query certificate request status. Use undo certificate request polling to restore the defaults. Syntax certificate request polling { count count | interval interval } undo certificate request polling { count | interval } Default The polling interval is 20 minutes, and the maximum number of attempts is 50.
undo certificate request url Default The URL of the certificate request reception authority is not specified. Views PKI domain view Predefined user roles network-admin mdc-admin Parameters url-string: Specifies the URL of the certificate request reception authority, a case-sensitive string of 1 to 511 characters.
Predefined user roles network-admin mdc-admin Parameters common-name-sting: Specifies a common name, a case-sensitive string of 1 to 63 characters. No comma can be included. You can set the username of the PKI entity as the common name. Examples # Set the common name to test for PKI entity en. <Sysname>...
Default CRL checking is enabled. Views PKI domain view Predefined user roles network-admin mdc-admin Usage guidelines A CRL is a list of revoked certificates signed and published by a CA. Revoked certificates should no longer be trusted. Enable CRL checking to ensure that the device only accepts certificates that have not been revoked by the issuing CA.
vpn-instance vpn-instance-name: Specifies an MPLS L3VPN instance by its name, a case-sensitive string of 1 to 31 characters. If the CRL repository is on the public network, do not specify this option. Usage guidelines To use CRL checking, a CRL must be obtained from a CRL repository. The device selects a CRL repository in the following order: CRL repository specified in the PKI domain by using this command.
Usage guidelines If you do not specify a policy name, this command displays information about all certificate-based access control policies. Examples # Display information about certificate-based access control policy mypolicy. <Sysname> display pki certificate access-control-policy mypolicy Access control policy name: mypolicy Rule 1 deny mygroup1...
Page 410
Parameters group-name: Specifies a certificate attribute group by its name, a case-insensitive string of 1 to 31 characters. Usage guidelines If you do not specify a certificate attribute group, this command displays information about all certificate attribute groups. Examples # Display information about certificate attribute group mygroup. <Sysname>...
display pki certificate domain Use display pki certificate domain to display information about certificates. Syntax display pki certificate domain domain-name { ca | local | peer [ serial serial-num ] } Views Any view Predefined user roles network-admin network-operator mdc-admin mdc-operator Parameters domain-name: Specifies a PKI domain by its name, a case-insensitive string of 1 to 31 characters.
Page 412
5c:72:dc:c4:a5:43:cd:f9:32:b9:c1:90:8f:dd:50:f6 Signature Algorithm: sha1WithRSAEncryption Issuer: C=cn, O=docm, OU=rnd, CN=rootca Validity Not Before: Jan 6 02:51:41 2011 GMT Not After : Dec 7 03:12:05 2013 GMT Subject: C=cn, O=ccc, OU=ppp, CN=rootca Subject Public Key Info: Public Key Algorithm: rsaEncryption Public-Key: (1024 bit) Modulus: 00:c4:fd:97:2c:51:36:df:4c:ea:e8:c8:70:66:f0: 28:98:ec:5a:ee:d7:35:af:86:c4:49:76:6e:dd:40:...
Page 413
52:e1:99:b3:de:73:8b:ad:a8:04:f9:a1:f9:0d:67: d8:95:e2:26:a4:0b:c2:8c:63:32:5d:38:3e:fd:b7: 4a:83:69:0e:3e:24:e4:ab:91:6c:56:51:88:93:9e: 12:a4:30:ad:ae:72:57:a7:ba:fb:bc:ac:20:8a:21: 46:ea:e8:93:55:f3:41:49:e9:9d:cc:ec:76:13:fd: a5:8d:cb:5b:45:08:b7:d1:c5:b5:58:89:47:ce:12: bd:5c:ce:b6:17:2f:e0:fc:c0:3e:b7:c4:99:31:5b: 8a:f0:ea:02:fd:2d:44:7a:67 Exponent: 65537 (0x10001) X509v3 extensions: X509v3 Basic Constraints: CA:FALSE Netscape Cert Type: SSL Client, S/MIME X509v3 Key Usage: Digital Signature, Non Repudiation, Key Encipherment X509v3 Extended Key Usage: TLS Web Client Authentication, E-mail Protection, Microsoft Smartcardlogin Netscape Comment: User Certificate of OpenCA Labs...
Page 414
dd:a0:2c:c0:aa:16:81:aa:d9:33:ca:01:75:94:92:44:05:1a: 65:41:fa:1e:41:b5:8a:cc:2b:09:6e:67:70:c4:ed:b4:bc:28: 04:50:a6:33:65:6d:49:3c:fc:a8:93:88:53:94:4c:af:23:64: cb:af:e3:02:d1:b6:59:5f:95:52:6d:00:00:a0:cb:75:cf:b4: 50:c5:50:00:65:f4:7d:69:cc:2d:68:a4:13:5c:ef:75:aa:8f: 3f:ca:fa:eb:4d:d5:5d:27:db:46:c7:f4:7d:3a:b2:fb:a7:c9: de:18:9d:c1 # Display brief information about all peer certificates in the PKI domain aaa. <Sysname> display pki certificate domain aaa peer Total peer certificates: 1 Serial Number: 9a0337eb2156ba1f5476e4d754a5a9f7 Subject Name: CN=sldsslserver # Display detailed information about a peer certificate in the PKI domain aaa. <Sysname>...
Netscape Cert Type: SSL Server X509v3 Subject Alternative Name: DNS:docm.com X509v3 Subject Key Identifier: 3C:76:95:9B:DD:C2:7F:5F:98:83:B7:C7:A0:F8:99:1E:4B:D7:2F:26 X509v3 CRL Distribution Points: Full Name: URI:http://s03130.ccc.sec.com:447/ssl.crl Signature Algorithm: sha1WithRSAEncryption 61:2d:79:c7:49:16:e3:be:25:bb:8b:70:37:31:32:e5:d3:e3: 31:2c:2d:c1:f9:bf:50:ad:35:4b:c1:90:8c:65:79:b6:5f:59: 36:24:c7:14:63:44:17:1e:e4:cf:10:69:fc:93:e9:70:53:3c: 85:aa:40:7e:b5:47:75:0f:f0:b2:da:b4:a5:50:dd:06:4a:d5: 17:a5:ca:20:19:2c:e9:78:02:bd:19:77:da:07:1a:42:df:72: ad:07:7d:e5:16:d6:75:eb:6e:06:58:ee:76:31:63:db:96:a2: ad:83:b6:bb:ba:4b:79:59:9d:59:6c:77:59:5b:d9:07:33:a8: f0:a5 Related commands pki domain pki retrieve-certificate display pki certificate request-status Use display pki certificate request-status to display certificate request status.
Page 416
Character name Symbol Character name Symbol Backslash Right angle bracket > Vertical bar Quotation marks " Colon Apostrophe Usage guidelines If you do not specify a PKI domain, this command displays the certificate request status for all PKI domains. Examples # Display certificate request status for PKI domain aaa.
Related commands certificate request polling pki domain pki retrieve-certificate display pki crl domain Use display pki crl domain to display information about the CRL saved at the local for a PKI domain. Syntax display pki crl domain domain-name Views Any view Predefined user roles network-admin network-operator...
Page 419
Syntax fqdn fqdn-name-string undo fqdn Default No FQDN is set for a PKI entity. Views PKI entity view Predefined user roles network-admin mdc-admin Parameters fqdn-name-string: Specifies an FQDN, a case-sensitive string of 1 to 255 characters in the format hostname@domainname. Usage guidelines An FQDN uniquely identifies a PKI entity on a network.
Usage guidelines Use this command to assign an IP address to a PKI entity or specify an interface for the entity. The interface's primary IPv4 address will be used as the IP address of the PKI entity. If you specify an interface, make sure the interface is assigned an IP address before the PKI entity requests a certificate.
[Sysname] pki domain aaa [Sysname-pki-domain-aaa] ldap-server host 10.0.0.1 # Specify LDAP server 10.0.0.11 in VPN instance vpn1 for PKI domain aaa. Set the port number to 333. <Sysname> system-view [Sysname] pki domain aaa [Sysname-pki-domain-aaa] ldap-server host 10.0.0.11 port 333 vpn-instance vpn1 Related commands pki retrieve-certificate pki retrieve-crl...
Default No organization name is set for a PKI entity. Views PKI entity view Predefined user roles network-admin mdc-admin Parameters org-name: Specifies an organization name, a case-sensitive string of 1 to 63 characters. No comma can be included. Examples # Set the organization name to abc for PKI entity en. <Sysname>...
Syntax pki abort-certificate-request domain domain-name Views System view Predefined user roles network-admin mdc-admin Parameters domain-name: Specifies a PKI domain by its name, a case-insensitive string of 1 to 31 characters. The domain name cannot contain the special characters listed in Table Table 50 Special characters Character name...
Default No certificate-based access control policies exist. Views System view Predefined user roles network-admin mdc-admin Parameters policy-name: Specifies a policy name, a case-insensitive string of 1 to 31 characters. Usage guidelines A certificate-based access control policy contains a set of access control rules that permit or deny access to the device based on the attributes in the requesting client's certificate.
Usage guidelines A certificate attribute group is a set of attribute rules configured by using the attribute command. Each attribute rule defines a matching criterion for an attribute in the issuer name, subject name, or alternative subject name field of certificates. A certificate attribute group must be associated with an access control rule (a permit or deny statement configured by using the rule command).
serial serial-num: Specifies a peer certificate by its serial number, a case-insensitive string of 1 to 127 characters. If you do not specify a serial number, this command removes all peer certificates in the PKI domain. Usage guidelines When you remove the CA certificate in a PKI domain, the system also removes the local certificates, peer certificates, and the CRL in the PKI domain.
Default No PKI domains exist. Views System view Predefined user roles network-admin mdc-admin Parameters domain-name: Specifies a PKI domain name, a case-insensitive string of 1 to 31 characters. The domain name cannot contain the special characters listed in Table Table 52 Special characters Character name Symbol Character name...
Parameters entity-name: Specifies a name for a PKI entity, a case-insensitive string of 1 to 31 characters. Usage guidelines A PKI entity includes the identity information that can be used by a CA to identify a certificate applicant. You can configure multiple attributes for a PKI entity, such as common name, organization, organization unit, locality, state, country, FQDN, and IP address.
Page 429
all: Specifies both CA and local certificates. The RA certificate is excluded. ca: Specifies the CA certificate. local: Specifies the local certificates or the local certificates and their private keys. passphrase p12-key: Specifies a password for encrypting the private key of a local PKCS12 certificate.
Page 430
When you export the local certificates or all certificates in PEM format, you must specify the cryptographic algorithm and the challenge password for the private key. If you do not specify the cryptographic algorithm and the challenge password, this command does not export the private keys of the local certificates.
Page 434
W2Lp9Xk4nZVIpVV76CkNe8/C+Id00GCRUUVQFSMvo7Pded76bmYX2KzJSz+DlMqy TdVrgG9Fp6XTFO80aKJGe6NapsfhJHKS+Q7mL0XpXeMONgK+e3dX7rsDxsY7hF+j 0gwsHrjV7kWvwJvDlhzGW6xbpr4DRmdcao19Cr6o= -----END CERTIFICATE----- # Export the CA certificate in the PKI domain to a file named cacert in PEM format. <Sysname> system-view [Sysname] pki export domain domain1 pem ca filename cacert # Display the CA certificate or the CA certificate chain in the PKI domain on the terminal. <Sysname>...
-----END CERTIFICATE----- # Export the local certificates and their private keys in the PKI domain to a file named cert-lo.der in PKCS12 format. The password for the private keys is 123. <Sysname> system-view [Sysname] pki export domain domain1 p12 local passphrase 123 filename cert-lo.der # Export all certificates in the PKI domain to a file named cert-all.p7b in PKCS12 format.
Page 436
Usage guidelines Use this command to import a certificate in the following situations: • The CRL repository is not specified or the CA server does not support SCEP. • The certificate is packed with the server generated key pair in a single file. Only certificate files in PKCS12 or PEM format can contain key pairs.
Page 437
If a matching key pair is found, the device asks whether you want to overwrite the existing key pair on the device. If no match is found, the device asks you to enter a key pair name (defaulting to the PKI domain name).
Please input the password:******** Local certificate already exist, confirm to overwrite it? [Y/N]:y The PKI domain already has a CA certificate. If it is overwritten, local certificates, peer certificates and CRL of this domain will also be deleted. Overwrite it? [Y/N]:y The system is going to save the key pair.
password password: Sets the password for certificate revocation, a case-sensitive string of 1 to 31 characters. The password is contained in the certificate request and must be provided if the certificate is revoked. pkcs10: Displays BASE64-encoded PKCS#10 certificate request information, which can be used to request a certificate by an out-of-band means, like phone, disk, or email.
Page 441
Predefined user roles network-admin mdc-admin Parameters domain-name: Specifies a PKI domain by its name, a case-insensitive string of 1 to 31 characters. The domain name cannot contain the special characters listed in Table Table 56 Special characters Character name Symbol Character name Symbol Tilde...
<Sysname> system-view [Sysname] pki retrieve-certificate domain aaa peer en1 Related commands display pki certificate pki delete-certificate pki retrieve-crl Use pki retrieve-crl to obtain CRLs and save them locally. Syntax pki retrieve-crl domain domain-name Views System view Predefined user roles network-admin mdc-admin Parameters domain-name: Specifies a PKI domain by its name, a case-insensitive string of 1 to 31 characters.
Examples # Obtain CRLs from the CRL repository. <Sysname> system-view [Sysname] pki retrieve-crl domain aaa Related commands crl url ldap server pki storage Use pki storage to specify the storage path for the certificates or CRLs. Use undo pki storage to restore the default. Syntax pki storage { certificates | crls } dir-path undo pki storage { certificates | crls }...
<Sysname> system-view [Sysname] pki storage crls pki-new pki validate-certificate Use pki validate-certificate to verify the validity of certificates. Syntax pki validate-certificate domain domain-name { ca | local } Views System view Predefined user roles network-admin mdc-admin Parameters domain-name: Specifies a PKI domain by its name, a case-insensitive string of 1 to 31 characters. The domain name cannot contain the special characters listed in Table Table 58 Special characters...
Page 445
[Sysname] pki validate-certificate domain aaa ca Verifying certificate..Serial Number: f6:3c:15:31:fe:bb:ec:94:dc:3d:b9:3a:d9:07:70:e5 Issuer: C=cn O=ccc OU=ppp CN=rootca Subject: C=cn O=abc OU=test CN=aca Verify result: OK Verifying certificate..Serial Number: 5c:72:dc:c4:a5:43:cd:f9:32:b9:c1:90:8f:dd:50:f6 Issuer: C=cn O=ccc OU=ppp CN=rootca Subject: C=cn O=ccc OU=ppp CN=rootca Verify result: OK # Verify the local certificates in PKI domain aaa.
Related commands crl check pki domain public-key dsa Use public-key dsa to specify a DSA key pair for certificate request. Use undo public-key to restore the default. Syntax public-key dsa name key-name [ length key-length ] undo public-key Default No key pair is specified for certificate request. Views PKI domain view Predefined user roles...
Related commands pki import public-key local create public-key ecdsa Use public-key ecdsa to specify an ECDSA key pair for certificate request. Use undo public-key to restore the default. Syntax In non-FIPS mode: public-key ecdsa name key-name [ secp192r1 | secp256r1 | secp384r1 | secp521r1 ] undo public-key In FIPS mode: public-key ecdsa name key-name [ secp256r1 | secp384r1 | secp521r1 ]...
The specified elliptic curve takes effect only if you specify a nonexistent key pair. The device will automatically create the key pair by using the specified name and curve before submitting a certificate request. The curve parameter is ignored if the specified key pair already exists or is already contained in an imported certificate.
Usage guidelines You can specify a nonexistent key pair in this command. You can get a key pair in any of the following ways: • Use the public-key local create command to generate a key pair. • An application triggers the device to generate a key pair. •...
Page 450
undo root-certificate fingerprint Default No fingerprint is set for verifying the root CA certificate. Views PKI domain view Predefined user roles network-admin mdc-admin Parameters md5: Sets an MD5 fingerprint. sha1: Sets an SHA1 fingerprint. string: Sets the fingerprint in hexadecimal notation. If you specify the MD5 keyword, the fingerprint is a string of 32 characters.
<Sysname> system-view [Sysname] pki domain aaa [Sysname-pki-domain-aaa] root-certificate fingerprint sha1 D1526110AAD7527FB093ED7FC037B0B3CDDDAD93 Related commands certificate request mode pki import pki retrieve-certificate rule Use rule to create an access control rule. Use undo rule to remove an access control rule. Syntax rule [ id ] { deny | permit } group-name undo rule id Default No access control rules exist.
Examples # Create rule 1 to permit all certificates that match certificate attribute group mygroup. <Sysname> system-view [Sysname] pki certificate access-control-policy mypolicy [Sysname-pki-cert-acp-mypolicy] rule 1 permit mygroup Related commands attribute display pki certificate access-control-policy pki certificate attribute-group source Use source to specify the source IP address for PKI protocol packets. Use undo source to restore the default.
<Sysname> system-view [Sysname] pki domain 1 [Sysname-pki-domain-1] source ipv6 1::8 # Use the IP address of VLAN-interface 1 as the source IP address for PKI protocol packets. <Sysname> system-view [Sysname] pki domain aaa [Sysname-pki-domain-aaa] source ip interface vlan-interface 1 # Use the IPv6 address of VLAN-interface 1 as the source IPv6 address for PKI protocol packets. <Sysname>...
Page 454
Default No extensions for certificates are specified. A certificate can be used for SSL clients, and SSL servers. Views PKI domain view Predefined user roles network-admin mdc-admin Parameters ssl-client: Specifies the SSL client certificate extension so the SSL client can use the certificates. ssl-server: Specifies the SSL server certificate extension so the SSL server can use the certificates.
SSH commands The device supports the FIPS mode that complies with NIST FIPS 140-2 requirements. Support for features, commands, and parameters might differ in FIPS mode and non-FIPS mode. For more information about FIPS mode, see Security Configuration Guide. SSH server commands display ssh server Use display ssh server on an SSH server to display the SSH server status or sessions.
Field Description SSH authentication-timeout Authentication timeout timer. SSH server key generating interval Minimum interval for updating the RSA server key pair. SSH authentication retries Maximum number of authentication attempts for SSH users. SFTP server Whether the SFTP server is enabled. SFTP server Idle-Timeout SFTP connection idle timeout timer.
Views Any view Predefined user roles network-admin network-operator mdc-admin mdc-operator Parameters username: Specifies an SSH username, a case-sensitive string of 1 to 80 characters. If you do not specify an SSH user, this command displays information about all SSH users. Usage guidelines This command displays information only about SSH users that are configured by using the ssh user command on the SSH server.
Syntax free ssh { user-ip { ip-address | ipv6 ipv6-address } [ port port-number ] | user-pid pid-number | username username } Views User view Predefined user roles network-admin mdc-admin Parameters user-ip: Specifies the user IP address of the SSH sessions to be disconnected. ip-address: Specifies the user IPv4 address of the SSH sessions to be disconnected.
Default The SCP server is disabled. Views System view Predefined user roles network-admin mdc-admin Examples # Enable the SCP server. <Sysname> system-view [Sysname] scp server enable Related commands display ssh server sftp server enable Use sftp server enable to enable the SFTP server. Use undo sftp server enable to disable the SFTP server.
undo sftp server idle-timeout Default The idle timeout timer is 10 minutes for SFTP connections. Views System view Predefined user roles network-admin mdc-admin Parameters time-out-value: Specifies an idle timeout timer in the range of 1 to 35791 minutes. Usage guidelines If an SFTP connection is idle when the idle timeout timer expires, the system automatically terminates the connection.
Usage guidelines The ACL specified in this command filters IPv4 SSH clients' connection requests. Only the IPv4 SSH clients that the ACL permits can access the device. If the specified ACL does not exist or contains no rules, all IPv4 SSH clients can access the device. The ACL takes effect only on SSH connections that are initiated after the ACL configuration.
Related commands ssh server acl ssh server ipv6 acl ssh server authentication-retries Use ssh server authentication-retries to set the maximum number of authentication attempts for SSH users. Use undo ssh server authentication-retries to restore the default. Syntax ssh server authentication-retries retries undo ssh server authentication-retries Default The maximum number of authentication attempts is 3 for SSH users.
ssh server authentication-timeout Use ssh server authentication-timeout to set the SSH user authentication timeout timer on the SSH server. Use undo ssh server authentication-timeout to restore the default. Syntax ssh server authentication-timeout time-out-value undo ssh server authentication-timeout Default The SSH user authentication timeout timer is 60 seconds. Views System view Predefined user roles...
Predefined user roles network-admin network-operator mdc-admin mdc-operator Usage guidelines This command is not available in FIPS mode. The undo form of this command restores the default setting whether you specify the enable keyword or not. This configuration does not affect logged-in users. It affects only users that attempt to log in after the configuration.
[Sysname] ssh server dscp 30 ssh server enable Use ssh server enable to enable the Stelnet server. Use undo ssh server enable to disable the Stelnet server. Syntax ssh server enable undo ssh server enable Default The Stelnet server is disabled. Views System view Predefined user roles...
mac mac-acl-number: Specifies a Layer 2 ACL by its number in the range of 4000 to 4999. Usage guidelines The ACL specified in this command filters IPv6 SSH clients' connection requests. Only the IPv6 SSH clients that the ACL permits can access the device. If the specified ACL does not exist or contains no rules, all IPv6 SSH clients can access the device.
ssh server pki-domain Use ssh server pki-domain to specify a PKI domain for an SSH server. Use undo ssh server pki-domain to restore the default. Syntax ssh server pki-domain domain-name undo ssh server pki-domain Default No PKI domain is specified for an SSH server. Views System view Predefined user roles...
Views System view Predefined user roles network-admin mdc-admin Parameters port-number: Specifies a port number in the range of 1 to 65535. Usage guidelines If you modify the SSH port number when the SSH server is enabled, the SSH service is restarted and all SSH connections are terminated after the modification.
The system starts to count down the configured minimum update interval after the first SSH1 user logs in to the server. If a new SSH1 user logs in to the server after the interval, the system performs the following operations: Updates the RSA server key pair.
Page 470
• scp: Specifies the service type SCP. • sftp: Specifies the service type SFTP. • stelnet: Specifies the service type Stelnet. • netconf: Specifies the service type NETCONF. authentication-type: Specifies an authentication method for the SSH user. • password: Specifies password authentication. This authentication method provides easy and fast encryption, but it is vulnerable.
In either case, the local user or the SSH user configured on the remote authentication server must have the same username as the SSH user. For an SFTP or SCP user, the working directory depends on the authentication method. • If the authentication method is publickey or password-publickey, the working directory is specified by the authorization-attribute command in the associated local user view.
Predefined user roles network-admin network-operator mdc-admin mdc-operator Usage guidelines This command has the same function as the exit and quit commands. Examples # Terminate the connection with the SFTP server. sftp> bye <Sysname> Use cd to change the working directory on the SFTP server. Syntax cd [ remote-path ] Views...
Predefined user roles network-admin mdc-admin Example # Return to the upper-level directory from the current working directory /test1. sftp> cd test1 Current Directory is:/test1 sftp> pwd Remote working directory: /test1 sftp> cdup Current Directory is:/ sftp> pwd Remote working directory: / sftp>...
Page 474
Predefined user roles network-admin mdc-admin Parameters server-ip ip-address: Specifies the IP address of the server whose public key information will be deleted. If you do not specify a server IP address, this command deletes the public keys of all servers from the client's public key file.
-rwxrwxrwx 301 Dec 18 14:11 010.pub -rwxrwxrwx 301 Dec 18 14:12 011.pub -rwxrwxrwx 301 Dec 18 14:12 012.pub # Display detailed information about the files and subdirectories under the current directory, excluding the files and subdirectories with names starting with dots (.). sftp>...
Page 476
mdc-operator Parameters server-ip ip-address: Specifies the IP address of the server whose public key information will be displayed. If you do not specify a server IP address, this command displays the public keys of all servers saved in the client's public key file. Usage guidelines When a user connects to an unauthenticated server and selects to save the server's public key, the server public key will be saved to the public key file.
Field Description Type of the public key: • dsa—DSA public key. • ecdsa-sha2-nistp256—256-bit ECDSA public key created by using Key type the secp256r1 curve. • ecdsa-sha2-nistp384—384-bit ECDSA public key created by using the secp384r1 curve. • rsa—RSA public key. Key length Length of the public key, in bits.
mdc-admin mdc-operator Usage guidelines This command has the same function as the bye and quit commands. Examples # Terminate the SFTP connection. sftp> exit <Sysname> Use get to download a file from the SFTP server and save it locally. Syntax get remote-file [ local-file ] Views SFTP client view...
Page 479
Usage guidelines This command has the same function as entering the question mark (?). Examples # Display help information on the SFTP client. sftp> help Available commands: Quit sftp cd [path] Change remote directory to 'path' cdup Change remote directory to the parent directory delete path Delete remote file dir [-a|-l][path]...
remote-path: Specifies the name of the directory to be queried. If you do not specify this argument, the command displays information about the files and subdirectories under the current working directory. Usage guidelines If you do not specify both of the –a and –l keywords, this command displays the names of the files and subdirectories under a directory.
Views SFTP client view Predefined user roles network-admin mdc-admin Parameters local-file: Specifies the name of a local file. remote-file: Specifies the name of a file on an SFTP server. If you do not specify this argument, the file will be remotely saved with the same name as the local file. Examples # Upload the local file startup.bak to the SFTP server and save it as startup01.bak.
mdc-admin mdc-operator Usage guidelines This command has the same function as the bye and exit commands. Examples # Terminate the SFTP connection. sftp> quit <Sysname> remove Use remove to delete a file from the SFTP server. Syntax remove remote-file Views SFTP client view Predefined user roles network-admin...
Examples # Change the name of a file on the SFTP server from temp1.c to temp2.c. sftp> dir aa.pub temp1.c sftp> rename temp1.c temp2.c sftp> dir aa.pub temp2.c rmdir Use rmdir to delete a directory from the SFTP server. Syntax rmdir remote-path Views SFTP client view...
user username: Specifies an SCP username, a case-sensitive string of 1 to 80 characters. If the username contains an ISP domain name, use the pureusername@domain format. The pureusername argument is a string of 1 to 55 characters. The domain argument is a string of 1 to 24 characters.
Page 488
public key algorithm is used, you must specify this option for the client to get the correct local certificate. prefer-compress: Specifies the preferred compression algorithm for data compression between the server and the client. By default, compression is not supported. zlib: Specifies the compression algorithm zlib.
• interface interface-type interface-number: Specifies a source interface by its type and number. The IPv6 address of this interface is the source IPv6 address of the IPv6 SCP packets. • ipv6 ipv6-address: Specifies a source IPv6 address. Usage guidelines Table 64 Suite B algorithms Security Key exchange Encryption algorithm...
Page 492
source-file-name: Specifies the name of the source file, a case-sensitive string of 1 to 255 characters. destination-file-name: Specifies the name of the target file, a case-sensitive string of 1 to 255 characters. If you do not specify this argument, the target file uses the same file name as the source file.
sftp Use sftp to establish a connection to an IPv4 SFTP server and enter SFTP client view. Syntax In non-FIPS mode: sftp server [ port-number ] [ vpn-instance vpn-instance-name ] [ identity-key { dsa | ecdsa-sha2-nistp256 | ecdsa-sha2-nistp384 | rsa | { x509v3-ecdsa-sha2-nistp256 | x509v3-ecdsa-sha2-nistp384 } pki-domain domain-name } | prefer-compress zlib | prefer-ctos-cipher { 3des-cbc | aes128-cbc | aes128-ctr | aes128-gcm | aes192-ctr | aes256-cbc | aes256-ctr | aes256-gcm | des-cbc } | prefer-ctos-hmac { md5 | md5-96 | sha1 | sha1-96 |...
Page 494
• x509v3-ecdsa-sha2-nistp256: Specifies the public key algorithm x509v3-ecdsa-sha2-nistp256. • x509v3-ecdsa-sha2-nistp384: Specifies the public key algorithm x509v3-ecdsa-sha2-nistp384. • pki-domain domain-name: Specifies the PKI domain of the client's certificate. The domain-name argument is a case-insensitive string of 1 to 31 characters. When the x509v3 public key algorithm is used, you must specify this option for the client to get the correct local certificate.
prefer-stoc-hmac: Specifies the preferred server-to-client HMAC algorithm. The default is sha2-256. Supported algorithms are the same as the client-to-server HMAC algorithms (see the prefer-ctos-hmac keyword). dscp dscp-value: Specifies the DSCP value in the IPv4 SFTP packets. The value range for the dscp-value argument is 0 to 63, and the default value is 48.
Default The source IPv6 address for SFTP packets is not configured. The SFTP client automatically selects an IPv6 address for SFTP packets in compliance with RFC 3484. Views System view Predefined user roles network-admin mdc-admin Parameters interface interface-type interface-number: Specifies a source interface by its type and number. The SFTP packets use the longest-matching IPv6 address of the specified interface as their source address.
Parameters interface interface-type interface-number: Specifies a source interface by its type and number. The SFTP packets use the primary IPv4 address of the interface as their source address. ip ip-address: Specifies a source IPv4 address. Usage guidelines This command takes effect on all SFTP connections. The source IPv4 address specified in the sftp command takes effect only on the current SFTP connection.
Page 498
mdc-admin Parameters server: Specifies a server by its IPv6 address or host name, a case-insensitive string of 1 to 253 characters. port-number: Specifies the port number of the server, in the range of 1 to 65535. The default is 22. vpn-instance vpn-instance-name: Specifies the MPLS L3VPN instance to which the server belongs.
Page 499
• md5: Specifies the HMAC algorithm hmac-md5. • md5-96: Specifies the HMAC algorithm hmac-md5-96. • sha1: Specifies the HMAC algorithm hmac-sha1. • sha1-96: Specifies the HMAC algorithm hmac-sha1-96. • sha2-256: Specifies the HMAC algorithm hmac-sha2-256. • sha2-512: Specifies the HMAC algorithm hmac-sha2-512. prefer-kex: Specifies the preferred key exchange algorithm.
server's PKI domain, the client uses the PKI domain of its own certificate to verify the server's certificate. prefer-compress: Specifies the preferred compression algorithm for data compression between the server and the client. By default, compression is not supported. zlib: Specifies the compression algorithm zlib. dscp dscp-value: Specifies the DSCP value in the IPv6 SFTP packets.
Page 502
Parameters server: Specifies a server by its IPv4 address or host name, a case-insensitive string of 1 to 253 characters. port-number: Specifies the port number of the server, in the range of 1 to 65535. The default is 22. vpn-instance vpn-instance-name: Specifies the MPLS L3VPN instance to which the server belongs. The vpn-instance-name argument represents the VPN instance name, a case-sensitive string of 1 to 31 characters.
Examples # Use the 128-bit Suite B algorithms to establish a connection to SFTP server 10.1.1.2. Specify the client's PKI domain and the server's PKI domain as clientpkidomain and serverpkidomain, respectively. <Sysname> sftp 10.1.1.2 suite-b 128-bit pki-domain clientpkidomain server-pki-domain serverpkidomain Username ssh client ipv6 source Use ssh client ipv6 source to configure the source IPv6 address for SSH packets that are sent by...
ssh client source Use ssh client source to configure the source IPv4 address for SSH packets that are sent by the Stelnet client. Use undo ssh client source to restore the default. Syntax ssh client source { interface interface-type interface-number | ip ip-address } undo ssh client source Default The source IPv4 address for SSH packets is not configured.
Page 506
prefer-ctos-cipher: Specifies the preferred client-to-server encryption algorithm. The default is aes128-ctr. Supported algorithms are des-cbc, 3des-cbc, aes128-cbc, aes128-ctr, aes128-gcm, aes192-ctr, aes256-cbc, aes256-ctr, and aes256-gcm, in ascending order of security strength and computation time. • 3des-cbc: Specifies the encryption algorithm 3des-cbc. •...
characters. Invalid characters are tildes (~), asterisks (*), backslashes (\), vertical bars (|), colons (:), dots (.), angle brackets (< >), quotation marks ("), and apostrophes ('). source: Specifies a source IPv4 address or source interface for SSH packets. By default, the device uses the primary IPv4 address of the output interface in the routing entry as the source address of SSH packets.
Page 509
prefer-compress: Specifies the preferred compression algorithm for data compression between the server and the client. By default, compression is not supported. zlib: Specifies the compression algorithm zlib. prefer-ctos-cipher: Specifies the preferred client-to-server encryption algorithm. The default is aes128-ctr. Supported algorithms are des-cbc, 3des-cbc, aes128-cbc, aes128-ctr, aes128-gcm, aes192-ctr, aes256-cbc, aes256-ctr, and aes256-gcm, in ascending order of security strength and computation time.
public-key keyname: Specifies the server by its host public key that the client uses to authenticate the server. The keyname argument is a case-insensitive string of 1 to 64 characters. server-pki-domain domain-name: Specifies the PKI domain for verifying the server's certificate. The domain-name argument represents the PKI domain name, a case-insensitive string of 1 to 31 characters.
Page 511
domain-name ] [ prefer-compress zlib ] [ dscp dscp-value | escape character | source { interface interface-type interface-number | ipv6 ipv6-address } ] * Views User view Predefined user roles network-admin mdc-admin Parameters server: Specifies a server by its IPv6 address or host name, a case-insensitive string of 1 to 253 characters.
Usage guidelines Table 68 Suite B algorithms Security Key exchange Encryption algorithm Public key algorithm level algorithm and HMAC algorithm x509v3-ecdsa-sha2-nistp256 128-bit ecdh-sha2-nistp256 aes128-gcm x509v3-ecdsa-sha2-nistp384 192-bit ecdh-sha2-nistp384 aes256-gcm x509v3-ecdsa-sha2-nistp384 ecdh-sha2-nistp256 aes128-gcm x509v3-ecdsa-sha2-nistp256 Both ecdh-sha2-nistp384 aes256-gcm x509v3-ecdsa-sha2-nistp384 The combination of an escape character and a dot (.) works as an escape sequence. This escape sequence is typically used to quickly terminate an SSH connection when the server reboots or malfunctions.
Page 513
suite-b: Specifies the Suite B algorithms. If neither the 128-bit keyword nor the 192-bit keyword is specified, all algorithms in Suite B are used. For more information about the Suite B algorithms, see Table 128-bit: Specifies the 128-bit Suite B security level. 192-bit: Specifies the 192-bit Suite B security level.
Examples # Use the 128-bit Suite B algorithms to establish a connection to Stelnet server 3.3.3.3. Specify the client's PKI domain and the server's PKI domain as clientpkidomain and serverpkidomain, respectively. <Sysname> ssh2 3.3.3.3 suite-b 128-bit pki-domain clientpkidomain server-pki-domain serverpkidomain Username SSH2 commands display ssh2 algorithm...
<Sysname> system-view [Sysname] ssh2 algorithm key-exchange dh-group1-sha1 Related commands display ssh2 algorithm ssh2 algorithm cipher ssh2 algorithm mac ssh2 algorithm public-key ssh2 algorithm mac Use ssh2 algorithm mac to specify MAC algorithms for SSH2. Use undo ssh2 algorithm mac to restore the default. Syntax In non-FIPS mode: ssh2 algorithm mac { md5 | md5-96 | sha1 | sha1-96 | sha2-256 | sha2-512 } *...
SSL commands The device supports the FIPS mode that complies with NIST FIPS 140-2 requirements. Support for features, commands, and parameters might differ in FIPS mode and non-FIPS mode. For more information about FIPS mode, see Security Configuration Guide. ciphersuite Use ciphersuite to specify the cipher suites supported by an SSL server policy.
Page 521
ecdhe_ecdsa_aes_128_cbc_sha256: Specifies the cipher suite that uses key exchange algorithm ECDHE ECDSA, data encryption algorithm 128-bit AES_CBC, and MAC algorithm SHA256. ecdhe_ecdsa_aes_128_gcm_sha256: Specifies the cipher suite that uses key exchange algorithm ECDHE ECDSA, data encryption algorithm 128-bit AES_GCM, and MAC algorithm SHA256. ecdhe_ecdsa_aes_256_cbc_sha384: Specifies the cipher suite that uses key exchange algorithm ECDHE ECDSA, data encryption algorithm 256-bit AES_CBC, and MAC algorithm SHA384.
• Key exchange algorithms—Implement secure exchange of the keys used by the symmetric key algorithm and the MAC algorithm. Commonly used key exchange algorithms are usually asymmetric key algorithms, such as RSA. After the SSL server receives a cipher suite from a client, the server matches the received cipher suite against the cipher suits it supports.
Optional SSL client authentication—The SSL server does not require an SSL client to submit its digital certificate for identity authentication. • If an SSL client submits its certificate to the SSL server, the server authenticates the client identity. The client must pass authentication to access the server. •...
Examples # Display cryptographic library version information. <Sysname> display crypto version 7.1.1.1.1.57 Table 71 Command output Field Description Cryptographic library version information, in the 7.1.X format: • 7.1.1.1.1.57 The 7.1 segment represents Comware 700R001. • The X segment represents the cryptographic library version. display ssl client-policy Use display ssl client-policy to display SSL client policy information.
display ssl server-policy Use display ssl server-policy to display SSL server policy information. Syntax display ssl server-policy [ policy-name ] Views Any view Predefined user roles network-admin network-operator mdc-admin mdc-operator Parameters policy-name: Specifies an SSL server policy by its name, a case-insensitive string of 1 to 31 characters.
Default No PKI domain is specified for an SSL client policy. Views SSL client policy view Predefined user roles network-admin mdc-admin Parameters domain-name: Specifies a PKI domain by its name, a case-insensitive string of 1 to 31 characters. Usage guidelines If you specify a PKI domain for an SSL client policy, the SSL client that uses the SSL client policy will obtain its digital certificate through the specified PKI domain.
Examples # Specify PKI domain server-domain for SSL server policy policy1. <Sysname> system-view [Sysname] ssl server-policy policy1 [Sysname-ssl-server-policy-policy1] pki-domain server-domain Related commands display ssl server-policy pki domain prefer-cipher Use prefer-cipher to specify a preferred cipher suite for an SSL client policy. Use undo prefer-cipher to restore the default.
Page 528
dhe_rsa_aes_128_cbc_sha256: Specifies the cipher suite that uses key exchange algorithm DHE RSA, data encryption algorithm 128-bit AES_CBC, and MAC algorithm SHA256. dhe_rsa_aes_256_cbc_sha: Specifies the cipher suite that uses key exchange algorithm DHE RSA, data encryption algorithm 256-bit AES_CBC, and MAC algorithm SHA. dhe_rsa_aes_256_cbc_sha256: Specifies the cipher suite that uses key exchange algorithm DHE RSA, data encryption algorithm 256-bit AES_CBC, and MAC algorithm SHA256.
• Data encryption algorithms—Encrypt data to ensure privacy. Commonly used data encryption algorithms are usually symmetric key algorithms. When using a symmetric key algorithm, the SSL server and the SSL client must use the same key. • Message Authentication Code (MAC) algorithms—Calculate the MAC value for data to ensure integrity.
Examples # Enable the SSL client to use digital certificates to authenticate the SSL server. <Sysname> system-view [Sysname] ssl client-policy policy1 [Sysname-ssl-client-policy-policy1] server-verify enable Related commands display ssl client-policy session Use session to set the maximum number of sessions that the SSL server can cache and the timeout time for cached sessions.
ssl client-policy Use ssl client-policy to create an SSL client policy and enter its view, or enter the view of an existing SSL client policy. Use undo ssl client-policy to delete an SSL client policy. Syntax ssl client-policy policy-name undo ssl client-policy policy-name Default No SSL client policies exist.
Predefined user roles network-admin mdc-admin Usage guidelines The SSL session renegotiation feature enables the SSL client and server to reuse a previously negotiated SSL session for an abbreviated handshake. Disabling session renegotiation causes more computational overhead to the system but it can avoid potential risks.
ssl version disable Use ssl version disable to disable the SSL server from using specific SSL protocol versions for session negotiation. Use undo ssl version disable restore the default. Syntax In non-FIPS mode: ssl version { ssl3.0 | tls1.0 | tls1.1 } * disable undo ssl version { ssl3.0 | tls1.0 | tls1.1 } * disable In FIPS mode: ssl version { tls1.0 | tls1.1 } * disable...
Page 534
version { ssl3.0 | tls1.0 | tls1.1 | tls1.2 } undo version In FIPS mode: version { tls1.0 | tls1.1 | tls1.2 } undo version Default An SSL client policy uses SSL protocol version TLS 1.0. Views SSL client policy view Predefined user roles network-admin mdc-admin...
Attack detection and prevention commands ack-flood action Use ack-flood action to specify global actions against ACK flood attacks. Use undo ack-flood action to restore the default. Syntax ack-flood action { drop | logging } * undo ack-flood action Default No global action is specified for ACK flood attacks. Views Attack defense policy view Predefined user roles...
Default IP address-specific ACK flood attack detection is not configured. Views Attack defense policy view Predefined user roles network-admin mdc-admin Parameters ip ipv4-address: Specifies the IPv4 address to be protected. The ip-address argument cannot be all 1s or 0s. ipv6 ipv6-address: Specifies the IPv6 address to be protected. vpn-instance vpn-instance-name: Specifies the MPLS L3VPN instance to which the protected IP address belongs.
Syntax ack-flood detect non-specific undo ack-flood detect non-specific Default Global ACK flood attack detection is disabled. Views Attack defense policy view Predefined user roles network-admin mdc-admin Usage guidelines The global ACK flood attack detection applies to all IP addresses except those specified by the ack-flood detect command.
Usage guidelines With global ACK flood attack detection configured, the device is in attack detection state. When the sending rate of ACK packets to an IP address reaches the threshold, the device enters prevention state and takes the specified actions. When the rate is below the silence threshold (three-fourths of the threshold), the device returns to the attack detection state.
Each device can have only one attack defense policy applied. If you execute this command multiple times, the most recent configuration takes effect. Examples # Apply attack defense policy atk-policy-1 to the device. <Sysname> system-view [Sysname] attack-defense local apply policy atk-policy-1 Related commands attack-defense policy display attack-defense policy...
undo attack-defense login enable Default Login attack prevention is disabled. Views System view Predefined user roles network-admin mdc-admin Usage guidelines After a user fails the maximum number of login attempts, login attack prevention uses the blacklist to block the user from logging in during the block period. For login attack prevention to take effect, you must enable the global blacklist feature.
The login failure counter for a user is reset after the user logs in successfully. If the device reboots, all login failure counters are reset. Examples # Set the maximum number of successive login failures to five. <Sysname> system-view [Sysname] attack-defense login max-attempt 5 Related commands attack-defense login enable attack-defense login reauthentication-delay...
undo attack-defense policy policy-name Default No attack defense policies exist. Views System view Predefined user roles network-admin mdc-admin Parameters policy-name: Assigns a name to the attack defense policy. The policy name is a case-insensitive string of 1 to 31 characters. Valid characters include uppercase and lowercase letters, digits, underscores (_), and hyphens (-).
• Source and destination IP addresses. • VPN instance to which the victim IP address belongs. As a best practice, do not disable log aggregation. A large number of logs will consume the display resources of the console. Examples # Enable log non-aggregation for single-packet attack events. <Sysname>...
Syntax blacklist global enable undo blacklist global enable Default The global blacklist feature is disabled. Views System view Predefined user roles network-admin mdc-admin Usage guidelines If you enable the global blacklist feature, the blacklist feature is enabled on all interfaces. Examples # Enable the global blacklist feature.
timeout minutes: Specifies the aging time in minutes for the blacklist entry, in the range of 1 to 1000. If you do not specify this option, the blacklist entry never ages out. You must delete it manually. Usage guidelines The undo blacklist ip command deletes only manually added IPv4 blacklist entries. To delete dynamically added IPv4 blacklist entries, use the reset blacklist ip command.
A blacklist entry with an aging time is not saved to the configuration file and cannot survive a reboot. You can use the display blacklist ipv6 command to display all effective IPv6 blacklist entries that are manually added. Examples # Add a blacklist entry for IPv6 address 2012::12:25 and set the aging time to 10 minutes for the entry.
# Add 192.168.1.2 to the blacklist. A log is output for the adding event. [Sysname] blacklist ip 192.168.100.12 %Mar 13 03:47:49:736 2013 Sysname BLS/5/BLS_ENTRY_ADD:SrcIPAddr(1003)=192.168.100.12; DSLiteTunnelPeer(1040)=--; RcvVPNInstance(1041)=--; TTL(1051)=; Reason(1052)=Configuration. # Delete 192.168.1.2 from the blacklist. A log is output for the deletion event. [Sysname] undo blacklist ip 192.168.100.12 %Mar 13 03:49:52:737 2013 Sysname BLS/5/BLS_ENTRY_DEL:SrcIPAddr(1003)=192.168.100.12;...
device. If you do not specify a card, this command displays IPv4 flood attack detection and prevention statistics for all cards. (In IRF mode.) count: Displays the number of matching protected IPv4 addresses. Usage guidelines The device collects statistics about protected IP addresses for flood attack detection and prevention. The attackers' IP addresses are not recorded.
Examples # (In standalone mode.) Display all IPv6 flood attack detection and prevention statistics. <Sysname> display attack-defense flood statistics ipv6 Slot 1: IPv6 address Detected on Detect type State Dropped 1::4 Local ACK-FLOOD Normal 1000 111111111 1::5 Local SYN-FLOOD Normal 1000 22222222 Slot 2:...
Page 552
mdc-operator Parameters policy-name: Specifies an attack defense policy by its name. The policy name is a case-insensitive string of 1 to 31 characters. Valid characters include uppercase and lowercase letters, digits, underscores (_), and hyphens (-). If no attack defense policy is specified, this command displays brief information about all attack defense policies.
Page 553
UDP Snork Disabled Info UDP Fraggle Enabled Info IP option record route Disabled Info IP option internet timestamp Enabled Info IP option security Disabled Info IP option loose source routing Enabled Info IP option stream ID Disabled Info IP option strict source routing Disabled Info IP option route alert...
Page 554
HTTP flood 10000 80,8080 Enabled Flood attack defense for protected IP addresses: Address VPN instance Flood type Thres(pps) Actions Ports 1::1 FIN-FLOOD 192.168.1.1 SYN-ACK-FLOOD 10 1::1 FIN-FLOOD 2013:2013:2013:2013: DNS-FLOOD L,CV 2013:2013:2013:2013 Table 76 Command output Field Description Policy name Name of the attack defense policy. Locations to which the attack defense policy is applied: Local (Local Applied list indicates that the policy is applied to the device).
Field Description Global prevention actions against the flood attack: • D—Dropping packets. Global actions • L—Logging. • -—Not configured. Ports that are protected against the flood attack. This field displays port Service ports numbers only for the DNS and HTTP flood attacks. For other flood attacks, this field displays a hyphen (-).
Slot 1: IP address VPN instance Type Rate threshold(PPS) Dropped 123.123.123.123 -- SYN-ACK-FLOOD 100 4294967295 201.55.7.45 ICMP-FLOOD 192.168.11.5 DNS-FLOOD Slot 2: IP address VPN instance Type Rate threshold(PPS) Dropped # (In standalone mode.) Display the number of IPv4 addresses protected by flood attack detection and prevention in attack defense policy abc.
Page 558
Predefined user roles network-admin network-operator mdc-admin mdc-operator Parameters policy-name: Specifies an attack defense policy by its name. The policy name is a case-insensitive string of 1 to 31 characters. Valid characters include uppercase and lowercase letters, digits, underscores (_), and hyphens (-). ack-flood: Specifies ACK flood attack.
chassis chassis-number slot slot-number: Specifies a card on an IRF member device. The chassis-number argument represents the member ID of the IRF member device. The slot-number argument represents the slot number of the card. This option is available only when you specify the device.
Page 561
Syntax In standalone mode: display attack-defense scan attacker ipv6 [ [ local ] [ slot slot-number ] ] [ count ] In IRF mode: display attack-defense scan attacker ipv6 [ [ local ] [ chassis chassis-number slot slot-number ] ] [ count ] Views Any view...
Table 81 Command output Field Description Totally 1 attackers Total number of IPv6 scanning attackers. IPv6 address IPv6 address of the attacker. MPLS L3VPN instance to which the attacker IPv6 address belongs. If the VPN instance attacker IPv6 address is on the public network, this field displays hyphens (--).
Usage guidelines If you do not specify any parameters, this command displays information about all IPv4 scanning attack victims. Examples # (In standalone mode.) Display information about all IPv4 scanning attack victims. <Sysname> display attack-defense scan victim ip Slot 1: IP address VPN instance Detected on...
Page 564
Predefined user roles network-admin network-operator mdc-admin mdc-operator Parameters local: Specifies the device. slot slot-number: Specifies a card by its slot number. This option is available only when you specify the device. If you do not specify a card, this command displays information about IPv6 scanning attack victims for all cards.
Related commands display attack-defense scan attacker ipv6 scan detect display attack-defense statistics local Use display attack-defense statistics local to display attack detection and prevention statistics for the device. Syntax In standalone mode: display attack-defense statistics local [ slot slot-number ] In IRF mode: display attack-defense statistics local [ chassis chassis-number slot slot-number ] Views...
Page 566
UDP flood ICMP flood ICMPv6 flood DNS flood HTTP flood Signature attack defense statistics: AttackType AttackTimes Dropped IP option record route IP option security IP option stream ID IP option internet timestamp IP option loose source routing IP option strict source routing IP option route alert Fragment Impossible...
Page 567
ICMPv6 echo reply ICMPv6 group membership query ICMPv6 group membership report ICMPv6 group membership reduction ICMPv6 destination unreachable ICMPv6 time exceeded ICMPv6 parameter problem ICMPv6 packet too big Slot 2: Scan attack defense statistics: AttackType AttackTimes Dropped Port scan IP sweep Distribute port scan Flood attack defense statistics: AttackType...
TCP invalid flag TCP Land Winnuke UDP Bomb Snork Fraggle Large ICMPv6 ICMP echo request ICMP echo reply ICMP source quench ICMP destination unreachable ICMP redirect ICMP time exceeded ICMP parameter problem ICMP timestamp request ICMP timestamp reply ICMP information request ICMP information reply ICMP address mask request ICMP address mask reply...
Page 569
Views Any view Predefined user roles network-admin network-operator mdc-admin mdc-operator Parameters source-ip-address: Specifies the IPv4 address for a blacklist entry. vpn-instance vpn-instance-name: Specifies the MPLS L3VPN instance to which the IPv4 address belongs. The vpn-instance-name argument is a case-sensitive string of 1 to 31 characters. Do not specify this option if the IPv4 address is on the public network.
Related commands blacklist ipv6 display blacklist user Use display blacklist user to display user blacklist entries. Syntax display blacklist user [ user-name ] [ count ] Views Any view Predefined user roles network-admin network-operator mdc-admin mdc-operator Parameters user-name: Specifies a user by the username, a case-sensitive string of 1 to 55 characters. If you do not specify a user, this command displays all user blacklist entries.
Related commands blacklist global enable blacklist user dns-flood action Use dns-flood action to specify global actions against DNS flood attacks. Use undo dns-flood action to restore the default. Syntax dns-flood action { drop | logging } * undo dns-flood action Default No global action is specified for DNS flood attacks.
Page 573
Default IP address-specific DNS flood attack detection is not configured. Views Attack defense policy view Predefined user roles network-admin mdc-admin Parameters ip ipv4-address: Specifies the IPv4 address to be protected. The ip-address argument cannot be all 1s or 0s. ipv6 ipv6-address: Specifies the IPv6 address to be protected. vpn-instance vpn-instance-name: Specifies the MPLS L3VPN instance to which the protected IP address belongs.
dns-flood detect non-specific Use dns-flood detect non-specific to enable global DNS flood attack detection. Use undo dns-flood detect non-specific to disable global DNS flood attack detection. Syntax dns-flood detect non-specific undo dns-flood detect non-specific Default Global DNS flood attack detection is disabled. Views Attack defense policy view Predefined user roles...
mdc-admin Parameters port-list: Specifies a space-separated list of up to 65535 port number items. Each item specifies a port by its port number or a range of ports in the form of start-port-number to end-port-number. The end-port-number cannot be smaller than the start-port-number. Usage guidelines The device detects only DNS packets destined for the specified ports.
The global threshold applies to global DNS flood attack detection. Adjust the threshold according to the application scenarios. If the number of DNS packets sent to a protected DNS server is normally large, set a large threshold. A small threshold might affect the server services. For a network that is unstable or susceptible to attacks, set a small threshold.
• Destination IP address. • Source port. • Destination port. • Protocol. • L3VPN instance. • The fragment keyword for matching non-first fragments. If the specified ACL does not exist or does not contain a rule, attack detection exemption does not take effect.
Syntax fin-flood threshold threshold-value undo fin-flood threshold Default The global threshold is 1000 for triggering FIN flood attack prevention. Views Attack defense policy view Predefined user roles network-admin mdc-admin Parameters threshold-value: Specifies the threshold value. The value range is 1 to 1000000 in units of FIN packets sent to an IP address per second.
Views Attack defense policy view Predefined user roles network-admin mdc-admin Parameters drop: Drops subsequent HTTP packets destined for the victim IP addresses. logging: Enables logging for HTTP flood attack events. Examples # Specify drop as the global action against HTTP flood attacks in attack defense policy atk-policy-1. <Sysname>...
port port-list: Specifies a space-separated list of up to 65535 port number items. Each item specifies a port by its port number or a range of ports in the form of start-port-number to end-port-number. The end-port-number cannot be smaller than the start-port-number. If you do not specify this option, the global ports apply.
mdc-admin Usage guidelines The global HTTP flood attack detection applies to all IP addresses except for those specified by the http-flood detect command. The global detection uses the global trigger threshold set by the http-flood threshold command and global actions specified by the http-flood action command. Examples # Enable global HTTP flood attack detection in attack defense policy atk-policy-1.
Related commands http-flood action http-flood detect http-flood detect non-specific http-flood threshold Use http-flood threshold to set the global threshold for triggering HTTP flood attack prevention. Use undo http-flood threshold to restore the default. Syntax http-flood threshold threshold-value undo http-flood threshold Default The global threshold is 1000 for triggering HTTP flood attack prevention.
icmp-flood action Use icmp-flood action to specify global actions against ICMP flood attacks. Use undo icmp-flood action to restore the default. Syntax icmp-flood action { drop | logging } * undo icmp-flood action Default No global action is specified for ICMP flood attacks. Views Attack defense policy view Predefined user roles...
Predefined user roles network-admin mdc-admin Parameters ip-address: Specifies the IPv4 address to be protected. The ip-address argument cannot be all 1s or vpn-instance vpn-instance-name: Specifies the MPLS L3VPN instance to which the protected IP address belongs. The vpn-instance-name argument is a case-sensitive string of 1 to 31 characters. Do not specify this option if the protected IP address is on the public network.
Views Attack defense policy view Predefined user roles network-admin mdc-admin Usage guidelines The global ICMP flood attack detection applies to all IP addresses except for those specified by the icmp-flood detect ip command. The global detection uses the global trigger threshold set by the icmp-flood threshold command and global actions specified by the icmp-flood action command.
The global threshold applies to global ICMP flood attack detection. Adjust the threshold according to the application scenarios. If the number of ICMP packets sent to a protected server, such as an HTTP or FTP server, is normally large, set a large threshold. A small threshold might affect the server services.
Default The global threshold is 1000 for triggering ICMPv6 flood attack prevention. Views Attack defense policy view Predefined user roles network-admin mdc-admin Parameters threshold-value: Specifies the threshold value. The value range is 1 to 1000000 in units of ICMPv6 packets sent to an IP address per second. Usage guidelines With global ICMPv6 flood attack detection configured, the device is in attack detection state.
Parameters policy-name: Specifies an attack defense policy by its name. The policy name is a case-insensitive string of 1 to 31 characters. Valid characters include uppercase and lowercase letters, digits, underscores (_), and hyphens (-). ip: Specifies protected IPv4 addresses. ipv6: Specifies protected IPv6 addresses.
Predefined user roles network-admin mdc-admin Parameters source-ip-address: Specifies the IPv4 address for a blacklist entry. vpn-instance vpn-instance-name: Specifies the MPLS L3VPN instance to which the IPv4 address belongs. The vpn-instance-name argument is a case-sensitive string of 1 to 31 characters. Do not specify this option if the IPv4 address is on the public network.
reset blacklist statistics Use reset blacklist statistics to clear blacklist statistics. Syntax reset blacklist statistics Views User view Predefined user roles network-admin mdc-admin Usage guidelines This command resets the counter for dropped packets for all blacklist entries. Examples # Clear blacklist statistics. <Sysname>...
Use undo rst-flood threshold to restore the default. Syntax rst-flood threshold threshold-value undo rst-flood threshold Default The global threshold is 1000 for triggering RST flood attack prevention. Views Attack defense policy view Predefined user roles network-admin mdc-admin Parameters threshold-value: Specifies the threshold value. The value range is 1 to 1000000 in units of RST packets sent to an IP address per second.
Page 598
Default No scanning attack detection is configured. Views Attack defense policy view Predefined user roles network-admin mdc-admin Parameters level: Specifies the level of the scanning attack detection. low: Specifies the low level. This level provides basic scanning attack detection. It has a low false alarm rate but many scanning attacks cannot be detected.
blacklist global enable signature { large-icmp | large-icmpv6 } max-length Use signature { large-icmp | large-icmpv6 } max-length to set the maximum length of safe ICMP or ICMPv6 packets. A large ICMP or ICMPv6 attack occurs if an ICMP or ICMPv6 packet larger than the specified length is detected.
Page 601
• redirect: Specifies the ICMP redirect type. • source-quench: Specifies the ICMP source quench type. • time-exceeded: Specifies the ICMP time exceeded type. • timestamp-reply: Specifies the ICMP timestamp reply type. • timestamp-request: Specifies the ICMP timestamp request type. icmpv6-type: Specifies an ICMPv6 packet attack by the packet type. You can specify the packet type by a number or a keyword: •...
teardrop: Specifies the teardrop attack. tiny-fragment: Specifies the tiny fragment attack. traceroute: Specifies the traceroute attack. udp-bomb: Specifies the UDP bomb attack. winnuke: Specifies the WinNuke attack. action: Specifies the actions against the single-packet attack. If you do not specify this keyword, the default action of the attack level to which the single-packet attack belongs is used.
Parameters high: Specifies the high level. None of the currently supported single-packet attacks belongs to this level. info: Specifies the informational level. For example, large ICMP packet attack is on this level. low: Specifies the low level. For example, the traceroute attack is on this level. medium: Specifies the medium level.
Parameters high: Specifies the high level. None of the currently supported single-packet attacks belongs to this level. info: Specifies the informational level. For example, large ICMP packet attack is on this level. low: Specifies the low level. For example, the traceroute attack is on this level. medium: Specifies the medium level.
Examples # Specify drop as the global action against SYN-ACK flood attacks in attack defense policy atk-policy-1. <Sysname> system-view [Sysname] attack-defense policy atk-policy-1 [Sysname-attack-defense-policy-atk-policy-1] syn-ack-flood action drop Related commands syn-ack-flood detect syn-ack-flood detect non-specific syn-ack-flood threshold syn-ack-flood detect Use syn-ack-flood detect to configure IP address-specific SYN-ACK flood attack detection. Use undo syn-ack-flood detect to remove the IP address-specific SYN-ACK flood attack detection configuration.
Usage guidelines With SYN-ACK flood attack detection configured for an IP address, the device is in attack detection state. When the sending rate of SYN-ACK packets to the IP address reaches the threshold, the device enters prevention state and takes the specified actions. When the rate is below the silence threshold (three-fourths of the threshold), the device returns to the attack detection state.
Related commands syn-ack-flood action syn-ack-flood detect syn-ack-flood threshold syn-ack-flood threshold Use syn-ack-flood threshold to set the global threshold for triggering SYN-ACK flood attack prevention. Use undo syn-ack-flood threshold to restore the default. Syntax syn-ack-flood threshold threshold-value undo syn-ack-flood threshold Default The global threshold is 1000 for triggering SYN-ACK flood attack prevention.
syn-flood action Use syn-flood action to specify global actions against SYN flood attacks. Use undo syn-flood action to restore the default. Syntax syn-flood action { drop | logging } * undo syn-flood action Default No global action is specified for SYN flood attacks. Views Attack defense policy view Predefined user roles...
Predefined user roles network-admin mdc-admin Parameters ip ipv4-address: Specifies the IPv4 address to be protected. The ip-address argument cannot be all 1s or 0s. ipv6 ipv6-address: Specifies the IPv6 address to be protected. vpn-instance vpn-instance-name: Specifies the MPLS L3VPN instance to which the protected IP address belongs.
Views Attack defense policy view Predefined user roles network-admin mdc-admin Usage guidelines The global SYN flood attack detection applies to all IP addresses except for those specified by the syn-flood detect command. The global detection uses the global trigger threshold set by the syn-flood threshold command and global actions specified by the syn-flood action command.
The global threshold applies to global SYN flood attack detection. Adjust the threshold according to the application scenarios. If the number of SYN packets sent to a protected server, such as an HTTP or FTP server, is normally large, set a large threshold. A small threshold might affect the server services.
Related commands udp-flood action udp-flood detect non-specific udp-flood threshold udp-flood detect non-specific Use udp-flood detect non-specific to enable global UDP flood attack detection. Use undo udp-flood detect non-specific to disable global UDP flood attack detection. Syntax udp-flood detect non-specific undo udp-flood detect non-specific Default Global UDP flood attack detection is disabled.
Page 614
Default The global threshold is 1000 for triggering UDP flood attack prevention. Views Attack defense policy view Predefined user roles network-admin mdc-admin Parameters threshold-value: Specifies the threshold value. The value range is 1 to 1000000 in units of UDP packets sent to an IP address per second. Usage guidelines With global UDP flood attack detection configured, the device is in attack detection state.
Views System Predefined user roles network-admin mdc-admin Parameter interval: Specifies the check interval in the range of 1 to 60 seconds. Usage guidelines This command takes effect after you enable Naptha attack prevention. After you enable Naptha attack prevention, the device checks the number of TCP connections in each state at intervals.
Page 617
connection-limit number: Specifies the maximum number of TCP connections, in the range of 0 to 500. The value of 0 represents that the device does not accelerate the aging of the TCP connections in a state. Usage guidelines This command takes effect after you enable Naptha attack prevention. If the number of TCP connections in a state exceeds the limit, the device will accelerate the aging of the TCP connections in the state.
argument represents the slot number of the card. If you do not specify a card, this command displays IPv4SG bindings for the global active MPU. (In IRF mode.) Examples # Display all IPSG bindings on the public network. <Sysname> display ip source binding Total entries found: 5 IP Address MAC Address...
Page 620
display ip verify source excluded [ vlan start-vlan-id [ to end-vlan-id ] ] [ slot slot-number ] In IRF mode: display ip verify source excluded [ vlan start-vlan-id [ to end-vlan-id ] ] [ chassis chassis-number slot slot-number ] Views Any view Predefined user roles network-admin...
Field Description End VLAN ID of the VLAN range that has been configured to be End VLAN ID excluded from IPSG filtering. Whether the excluded VLAN configuration takes effect: • Active—The configuration takes effect. Status • Inactive—The configuration does not take effect. Related commands ip verify source exclude display ipv6 source binding...
interface interface-type interface-number: Specifies an interface by its type and number. slot slot-number: Specifies a card by its slot number. If you do not specify a card, this command displays IPv6SG address bindings for the active MPU. (In standalone mode.) chassis chassis-number slot slot-number: Specifies a card on an IRF member device.
Table 91 Command output Field Description Total entries found Total number of IPv6SG prefix bindings. IPv6 prefix IPv6 prefix and prefix length in the IPv6SG prefix binding. MAC address in the IPv6SG prefix binding. MAC address This field displays N/A if the MAC address is invalid. Interface to which the IPv6SG prefix binding belongs.
Usage guidelines Static IPv4SG bindings on an interface implement the following functions: • Filter incoming IPv4 packets on the interface. • Check user validity by cooperating with the ARP attack detection feature. You cannot configure static IPv4SG bindings on a service loopback interface. Examples # Configure a static IPv4SG binding on Ten-GigabitEthernet 1/0/1.
Related commands display ip source binding ip source binding (interface view) ip verify source Use ip verify source to enable IPv4SG on an interface. Use undo ip verify source to disable IPv4SG on an interface. Syntax ip verify source { ip-address | ip-address mac-address | mac-address } undo ip verify source Default The IPv4SG feature is disabled on an interface.
# Enable IPv4SG on Layer 3 Ethernet interface Ten-GigabitEthernet 1/0/2 and verify the source IPv4 address and MAC address for dynamic IPSG. <Sysname> system-view [Sysname] interface ten-gigabitethernet 1/0/2 [Sysname-Ten-GigabitEthernet1/0/2] ip verify source ip-address mac-address # Enable IPv4SG on Layer 3 Ethernet interface Ten-GigabitEthernet 1/0/2 and verify the source MAC address for dynamic IPSG.
ipv6 source binding (system view) Use ipv6 source binding to configure a global static IPv6SG binding. Use undo ipv6 source binding to delete one or all global static IPv6SG bindings. Syntax ipv6 source binding ip-address ipv6-address mac-address mac-address undo ipv6 source binding { all | ip-address ipv6-address mac-address mac-address } Default No global static IPv6SG bindings exist.
Page 630
Views Layer 2 Ethernet interface view Layer 3 Ethernet interface view VLAN interface view Predefined user roles network-admin mdc-admin Parameters ip-address: Filters incoming packets by source IPv6 addresses. ip-address mac-address: Filters incoming packets by source IPv6 addresses and source MAC addresses.
Views System view Predefined user roles network-admin mdc-admin Parameters count: Sets the number of probes, in the range of 1 to 25. Examples # Configure the device to perform five ARP blackhole route probes for each unresolved IP address. <Sysname> system-view [Sysname] arp resolving-route probe-count 5 Related commands arp resolving-route enable...
arp source-suppression enable Use arp source-suppression enable to enable the ARP source suppression feature. Use undo arp source-suppression enable to disable the ARP source suppression feature. Syntax arp source-suppression enable undo arp source-suppression enable Default The ARP source suppression feature is disabled. Views System view Predefined user roles...
Usage guidelines If unresolvable packets received from an IP address within 5 seconds exceed the limit, the device stops processing the packets from that IP address until the 5 seconds elapse. Examples # Configure the device to process a maximum of 100 unresolvable packets per source IP address within 5 seconds.
configure the information center module to set the log output rules. For more information about information center, see Network Management and Monitoring Configuration Guide. Examples # Enable logging for ARP packet rate limit. <Sysname> system-view [Sysname] arp rate-limit log enable arp rate-limit log interval Use arp rate-limit log interval to set the notification and log message sending interval for ARP packet rate limit.
Syntax snmp-agent trap enable arp [ rate-limit ] undo snmp-agent trap enable arp [ rate-limit ] Default SNMP notifications for ARP is disabled. Views System view Predefined user roles network-admin mdc-admin Parameters rate-limit: Specifies the ARP packet rate limit feature. Usage guidelines After you enable SNMP notifications for ARP, the device generates a notification that includes the highest threshold-crossed ARP packet rate within the sending interval.
Parameters filter: Specifies the filter handling method. monitor: Specifies the monitor handling method. Usage guidelines Configure this feature on the gateways. This feature checks the number of ARP packets delivered to the CPU. If the number of packets from the same MAC address within 5 seconds exceeds a threshold, the device generates an ARP attack entry for the MAC address.
arp source-mac exclude-mac Use arp source-mac exclude-mac to exclude specific MAC addresses from source MAC-based ARP attack detection. Use undo arp source-mac exclude-mac to remove the excluded MAC addresses from source MAC-based ARP attack detection. Syntax arp source-mac exclude-mac mac-address&<1-64> undo arp source-mac exclude-mac [ mac-address&<1-64>...
Predefined user roles network-admin mdc-admin Parameters threshold-value: Specifies the threshold for source MAC-based ARP attack detection. The value range for this argument is 1 to 5000. Examples # Set the threshold for source MAC-based ARP attack detection to 30. <Sysname> system-view [Sysname] arp source-mac threshold 30 display arp source-mac Use display arp source-mac to display ARP attack entries detected by source MAC-based ARP...
Table 93 Command output Field Description Source-MAC Source MAC address of the attack. VLAN ID ID of the VLAN in which the attack was detected. Interface Interface on which the attack was detected. Aging-time Aging time for the ARP attack entry, in minutes. ARP packet source MAC consistency check commands arp valid-check enable...
Syntax arp active-ack [ strict ] enable undo arp active-ack [ strict ] enable Default The ARP active acknowledgement feature is disabled. Views System view Predefined user roles network-admin mdc-admin Parameters strict: Enables strict mode for ARP active acknowledgement. Usage guidelines Configure this feature on gateways to prevent user spoofing.
[Sysname-vlan2] arp detection enable Related commands arp detection enable arp detection trust Use arp detection trust to configure an interface as an ARP trusted interface or configure an AC as an ARP trusted AC. Use undo arp detection trust to restore the default. Syntax arp detection trust undo arp detection trust...
Views System view Predefined user roles network-admin mdc-admin Parameters dst-mac: Checks the target MAC address of ARP responses. If the target MAC address is all-zero, all-one, or inconsistent with the destination MAC address in the Ethernet header, the packet is considered invalid and discarded.
[Sysname-vlan2] arp restricted-forwarding enable display arp detection Use display arp detection to display the VLANs and VSIs that are enabled with ARP attack detection. Syntax display arp detection Views Any view Predefined user roles network-admin network-operator mdc-admin mdc-operator Examples # Display the VLANs and VSIs that are enabled with ARP attack detection. <Sysname>...
Parameters interface interface-type interface-number: Specifies an interface by its type and number. If you do not specify an interface, this command displays ARP attack detection statistics for all interfaces and all Ethernet service instances on the interfaces. service-instance instance-id: Specifies an Ethernet service instance by its ID. If you do not specify an Ethernet service instance, this command displays ARP attack detection statistics for all Ethernet service instances on the specified interface.
Predefined user roles network-admin mdc-admin Parameters interface interface-type interface-number: Specifies an interface by its type and number. If you do not specify an interface, this command clears ARP attack detection statistics for all interfaces and all Ethernet service instances on the interfaces. service-instance instance-id: Specifies an Ethernet service instance by its ID.
To delete a static ARP entry changed from a dynamic one, use the undo arp ip-address [ vpn-instance-name ] command. To delete all such static ARP entries, use the reset arp all or reset arp static command. Examples # Convert existing dynamic ARP entries to static ARP entries. <Sysname>...
[Sysname-Vlan-interface2] arp scan # Configure the device to scan neighbors in an address range. <Sysname> system-view [Sysname] interface vlan-interface 2 [Sysname-Vlan-interface2] arp scan 1.1.1.1 to 1.1.1.20 ARP gateway protection commands arp filter source Use arp filter source to enable ARP gateway protection for a gateway. Use undo arp filter source to disable ARP gateway protection for a gateway.
Syntax arp filter binding ip-address mac-address undo arp filter binding ip-address Default ARP filtering is disabled. Views Layer 2 Ethernet interface view Layer 2 aggregate interface view Predefined user roles network-admin mdc-admin Parameters ip-address: Specifies a permitted sender IP address. mac-address: Specifies a permitted sender MAC address.
Page 654
Views VLAN view Predefined user roles network-admin mdc-admin Parameters start-ip-address: Specifies the start IP address. end-ip-address: Specifies the end IP address. The end IP address must be higher than or equal to the start IP address. Usage guidelines The gateway discards an ARP packet if its sender IP address is not within the allowed IP address range.
Views System view Predefined user roles network-admin mdc-admin Usage guidelines Use this command to enable source MAC consistency check on a gateway. The gateway checks the source MAC address and the source link-layer address for consistency for each ND message. If an inconsistency is found, the gateway drops the ND message.
Table 95 Command output Field Description Interface Input interface of the ND messages. Packets dropped Number of ND messages dropped by ND attack detection. ipv6 nd detection enable Use ipv6 nd detection enable to enable ND attack detection. This feature checks the ND message validity.
Parameters policy-name: Specifies an RA guard policy by its name. The policy name is a case-sensitive string of 1 to 31 characters. If you do not specify a policy, this command displays the configuration of all RA guard policies. Examples # Display the configuration of all RA guard policies.
Syntax display ipv6 nd raguard statistics [ interface interface-type interface-number ] Views Any view Predefined user roles network-admin network-operator mdc-admin mdc-operator Parameters interface interface-type interface-number: Specifies an interface by its type and number. If you do not specify an interface, this command displays RA guard statistics for all interfaces. Examples # Display RA guard statistics.
Predefined user roles network-admin mdc-admin Parameters ipv6-acl-number: Specifies an IPv6 basic ACL by its number in the range of 2000 to 2999. name ipv6-acl-name: Specifies an IPv6 basic ACL by its name, a case-insensitive string of 1 to 63 characters. The name must start with an English letter. To avoid confusion, the name cannot be all. Usage guidelines RA guard uses the ACL match criterion to match the IP address of the RA message sender.
Examples # Specify on as the M flag match criterion for the RA guard policy policy1. <Sysname> system-view [Sysname] ipv6 nd raguard policy policy1 [Sysname-raguard-policy-policy1] if-match autoconfig managed-address-flag on if-match autoconfig other-flag Use if-match autoconfig other-flag to specify an O flag match criterion. Use undo if-match autoconfig other-flag to delete the O flag match criterion.
Default No maximum or minimum hop limit match criterion exists. Views RA guard policy view Predefined user roles network-admin mdc-admin Parameters maximum: Specifies the maximum advertised hop limit. An RA message passes the check if its current hop limit is not higher than the maximum advertised hop limit. minimum: Specifies the minimum advertised hop limit.
Usage guidelines An RA message passes the check if the advertised prefixes in the message match the prefixes set by the ACL. If the specified ACL does not exist or does not contain a rule, the prefix match criterion does not take effect.
Examples # Specify medium as the router preference match criterion for the RA guard policy policy1. <Sysname> system-view [Sysname] ipv6 nd raguard policy policy1 [Sysname-raguard-policy-policy1] if-match router-preference maximum medium ipv6 nd raguard apply policy Use ipv6 nd raguard apply policy to apply an RA guard policy to a VLAN. Use undo ipv6 nd raguard apply policy to remove the RA guard policy from a VLAN.
undo ipv6 nd raguard log enable Default The RA guard logging feature is disabled. Views System view Predefined user roles network-admin mdc-admin Usage guidelines This command allows a device to generate logs when it detects forged RA messages. The log information helps administrators locate and solve problems.
Parameters policy-name: Assigns a name to the RA guard policy. The name is a case-sensitive string of 1 to 31 characters. Examples # Create RA guard policy policy1 and enter its view. <Sysname> system-view [Sysname] ipv6 nd raguard policy policy1 [Sysname-raguard-policy-policy1] Related commands display ipv6 nd raguard policy...
reset ipv6 nd raguard statistics Use reset ipv6 nd raguard statistics to clear RA guard statistics. Syntax reset ipv6 nd raguard statistics [ interface interface-type interface-number ] Views User view Predefined user roles network-admin mdc-admin Parameters interface interface-type interface-number: Specifies an interface by its type and number. If you do not specify an interface, this command clears RA guard statistics for all interfaces.
IPv4 uRPF commands display ip urpf Use display ip urpf to display uRPF configuration. Syntax In standalone mode: display ip urpf [ slot slot-number ] In IRF mode: display ip urpf [ chassis chassis-number slot slot-number ] Views Any view Predefined user roles network-admin network-operator...
Page 670
Use undo ip urpf to disable uRPF. Syntax ip urpf { loose [ allow-default-route ] | strict [ allow-default-route ] } undo ip urpf Default uRPF is disabled. Views System view Predefined user roles network-admin mdc-admin Parameters loose: Enables loose uRPF check. To pass loose uRPF check, the source address of a packet must match the destination address of a FIB entry.
IPv6 uRPF commands display ipv6 urpf Use display ipv6 urpf to display IPv6 uRPF configuration. Syntax In standalone mode: display ipv6 urpf [ slot slot-number ] In IRF mode: display ipv6 urpf [ chassis chassis-number slot slot-number ] Views Any view Predefined user roles network-admin network-operator...
Page 672
Use undo ipv6 urpf to disable IPv6 uRPF. Syntax ipv6 urpf { loose | strict } [ allow-default-route ] undo ipv6 urpf Default IPv6 uRPF is disabled. Views System view Predefined user roles network-admin mdc-admin Parameters loose: Enables loose IPv6 uRPF check. To pass loose IPv6 uRPF check, the source address of a packet must match the destination address of an IPv6 FIB entry.
mdc-admin Parameters default-gateway gateway-ip: Specifies the IP address of the default gateway. Usage guidelines For MFF to take effect, make sure ARP snooping is enabled on the device. For a network (or VLAN) with IP addresses manually configured, the gateway IP address must be manually configured.
mac-forced-forwarding network-port Use mac-forced-forwarding network-port to configure the Ethernet port as a network port. Use undo mac-forced-forwarding network-port to restore the default. Syntax mac-forced-forwarding network-port undo mac-forced-forwarding network-port Default The Ethernet port is a user port. Views Layer 2 Ethernet interface view Layer 2 aggregate interface view Predefined user roles network-admin...
Page 677
undo mac-forced-forwarding server server-ip&<1-10> Default No server IP address is specified. Views VLAN view Predefined user roles network-admin mdc-admin Parameters server-ip&<1-10>: Specifies a space-separated list of up to 10 server IP addresses. Usage guidelines You need to maintain a server list on the MFF device to ensure communication between the servers and clients.
FIPS commands display fips status Use display fips status to display the FIPS mode state. Syntax display fips status Views Any view Predefined user roles network-admin network-operator mdc-admin mdc-operator Examples # Display the FIPS mode state. <Sysname> display fips status FIPS mode is enabled.
Page 679
After you execute the fips mode enable command, the system provides the following methods to enter FIPS mode: • Automatic reboot Select the automatic reboot method. The system automatically performs the following tasks: a. Create a default FIPS configuration file named fips-startup.cfg. b.
Reboot the device automatically? [Y/N]:y The system will create a new startup configuration file for FIPS mode. After you set the login username and password for FIPS mode, the device will reboot automatically. Enter username(1-55 characters): root Enter password(15-63 characters): Confirm password: Waiting for reboot...
Page 681
Examples # Trigger a self-test on the cryptographic algorithms. <Sysname> system-view [Sysname] fips self-test Cryptographic Algorithms Known-Answer Tests are running ... CPU 0 of slot 0 in chassis 0: Starting Known-Answer tests in the user space. Known-answer test for SHA1 passed. Known-answer test for SHA224 passed.
Page 682
Known-answer test for DSA(signature/verification) passed. Known-answer test for random number generator passed. Known-Answer tests in the user space passed. Starting Known-Answer tests in the kernel. Known-answer test for AES passed. Known-answer test for HMAC-SHA1 passed. Known-answer test for SHA1 passed. Known-answer test for GCM passed.
MACsec commands confidentiality-offset Use confidentiality-offset to set the MACsec confidentiality offset in an MKA policy. Use undo confidentiality-offset to restore the default. Syntax confidentiality-offset offset-value undo confidentiality-offset Default The MACsec confidentiality offset is 0. The entire frame is encrypted. Views MKA policy view Predefined user roles network-admin...
Page 684
Predefined user roles network-admin network-operator mdc-admin mdc-operator Parameters interface interface-type interface-number: Specifies a port by its type and number. If you do not specify a port, this command displays MACsec information on all ports. verbose: Displays detailed MACsec information. If you do not specify this keyword, the command displays brief MACsec information.
Page 685
Table 102 Command output Field Description Status of MACsec desire on the port: • Yes. Protect frames • If the port does not have an MKA principal actor, this field displays N/A. MKA policy applied to the port. This field displays N/A if the port is not enabled with MACsec desire. Active MKA policy This field is not available if the port is enabled with MACsec desire but is not applied an MKA policy.
Field Description Packet number for outbound traffic. SA number. The minimum received packet number allowed by SAK. Related commands mka apply policy display mka policy Use display mka policy to display MKA policy information. Syntax display mka { default-policy | policy [ name policy-name ] } Views Any view Predefined user roles...
Field Description ConfOffset Confidentiality offset in bytes. Validation mode: • Check. Validation • Strict. Related commands mka policy mka apply policy display mka session Use display mka session to display MKA session information. Syntax display mka session [ interface interface-type interface-number | local-sci sci-id ] [ verbose ] Views Any view Predefined user roles...
Page 688
# Display detailed MKA session information on GigabitEthernet 1/0/1. <Sysname> display mka session interface gigabitethernet 1/0/1 verbose Interface GigabitEthernet1/0/1 Tx-SCI : 000C29F6A4380004 Priority Capability: 3 CKN for participant: ABCD Key server : Yes MI (MN) : D7B00EDA353242704CC6B0DB (7) Live peers Potential peers Principal actor : Yes...
Page 689
Field Description Whether the MKA instance is the principal actor. MKA instance refers to the operation entity of the MKA protocol on a port. A Principal actor port might have multiple MKA instances. The principal actor is the MKA instance in active state. MKA session status: •...
Field Description Key identifier of the previous SAK, a string of hexadecimal digits that contains the key server's 12-byte MI and KN. This field displays N/A in the following situations: Previous SAK KI • The MKA instance is not the principal actor. •...
Table 105 Command output Field Description MKPDUs with invalid CKN Number of received MKA packets with invalid CKNs. MKPDUs with invalid ICV Number of MKA packets that failed ICV check. MKPDUs with Rx error Number of received error MKA packets. CKN for participant CAK name of the MKA instance.
Use undo macsec mka-session log enable to disable MKA session logging. Syntax macsec mka-session log enable undo macsec mka-session log enable Default MKA session logging is disabled. Views System view Predefined user roles network-admin mdc-admin Usage guidelines This command enables the device to generate logs for MKA session changes, such as peer aging and SAK updates.
If you execute this command on a port to which an MKA policy has been applied, the configuration overwrites the MACsec replay protection configuration in the MKA policy. The MKA policy application is removed from the port. However, other settings (settings for parameters except MACsec replay protection) of the MKA policy are effective on the port.
If you execute this command on a port to which an MKA policy has been applied, the configuration overwrites the replay protection window size in the MKA policy. The MKA policy application is removed from the port. However, other settings (settings for parameters except the replay protection window size) of the MKA policy are effective on the port.
[Sysname] interface gigabitethernet 1/0/1 [Sysname-GigabitEthernet1/0/1] macsec validation mode strict Related commands display macsec mka apply policy validation mode mka apply policy Use mka apply policy to apply an MKA policy to a port. Use undo mka apply policy to remove the MKA policy from a port. Syntax mka apply policy policy-name undo mka apply policy...
display mka policy replay-protection enable replay-protection window-size validation mode mka enable Use mka enable to enable MKA on a port. Use undo mka enable to disable MKA on a port. Syntax mka enable undo mka enable Default MKA is disabled on a port. Views Ethernet interface view Predefined user roles...
Views System view Predefined user roles network-admin mdc-admin Parameters policy-name: Specifies the name of an MKA policy, a case-sensitive string of 1 to 16 characters. Usage guidelines MKA policy provides a centralized method for configuring MACsec confidentiality offset, validation mode, replay protection, and replay protection window size. The system supports multiple MKA policies.
Page 699
Parameters priority-value: Specifies the priority value, in the range of 0 to 255. The priority is inversely related to its value. Usage guidelines If you use 802.1 X-generated CAK, the access device port automatically becomes the key server. If you use a preshared key as the CAK, the port that has higher priority (lower priority value) becomes the key server.
Usage guidelines The CAK can be either generated during 802.1X or manually configured at the CLI. The manually configured CAK takes precedence over the 802.1X-generated key. When 802.1X is not enabled on MACsec ports, you can execute this command to configure a preshared key on each MACsec port.
Related commands macsec replay-protection window-size macsec replay-protection enable mka apply policy reset mka session Use reset mka session to reset MKA sessions on ports. Syntax reset mka session [ interface interface-type interface-number ] Views User view Predefined user roles network-admin mdc-admin Parameters interface interface-type interface-number: Specifies a port by its type and number.
Examples # Clear MKA statistics on GigabitEthernet 1/0/1. <Sysname> reset mka statistics interface gigabitethernet 1/0/1 Related commands display mka statistics validation mode Use validation mode to set a MACsec validation mode in an MKA policy. Use undo validation mode to restore the default. Syntax validation mode { check | strict } undo validation mode...
802.1X client commands display dot1x supplicant Use display dot1x supplicant to display 802.1X client authentication information. Syntax display dot1x supplicant [ interface interface-type interface-number ] Views Any view Predefined user roles network-admin network-operator mdc-admin mdc-operator Parameters interface interface-type interface-number: Specifies an interface by its type and number. If you do not specify an interface, this command displays 802.1X client authentication information for all interfaces.
Field Description Anonymous 802.1X client anonymous identifier. identifier SSL client policy SSL client policy used by the 802.1X client feature. 802.1X client authentication state: • Init—The authentication process starts. • Connecting—The 802.1X client is connecting to the authenticator. FSM state •...
• TTLS-GTC. If the MD5-Challenge EAP authentication is used, the configured 802.1X client anonymous identifier does not take effect. The device uses the 802.1X client username at the first authentication phase. Do not configure the 802.1X client anonymous identifier if the vendor-specific authentication server cannot identify anonymous identifiers.
Default An Ethernet interface uses the interface's MAC address for 802.1X client authentication. If the interface's MAC address is unavailable, the interface uses the device's MAC address for 802.1X client authentication. Views Ethernet interface view Predefined user roles network-admin mdc-admin Parameters mac-address: Specifies a MAC address in the format of H-H-H, excluding multicast, all-zero, and all-F MAC addresses.
Parameters cipher: Specifies a password in encrypted form. simple: Specifies a password in plaintext form. For security purposes, the password specified in plaintext form will be stored in encrypted form. string: Specifies the password. Its plaintext form is a case-sensitive string of 1 to 127 characters. Its encrypted form is a case-sensitive string of 1 to 201 characters.
If the MD5-Challenge authentication is used, the device does not use an SSL client policy during the authentication process. Examples #Specify SSL client policy policy_1 to be used by an 802.1X client-enabled device on Ten-GigabitEthernet 1/0/1. <Sysname> system-view [Sysname] interface ten-gigabitethernet 1/0/1 [Sysname-Ten-GigabitEthernet1/0/1] dot1x supplicant ssl-client-policy policy_1 Related commands display dot1x supplicant...
Web authentication commands display web-auth Use display web-auth to display Web authentication configuration and running status on interfaces. Syntax display web-auth [ interface interface-type interface-number ] Views Any view Predefined user roles network-admin network-operator mdc-admin mdc-operator Parameters interface interface-type interface-number: Specifies an interface by its type and number. If you do not specify an interface, this command displays Web authentication configuration for all interfaces.
Field Description Web-auth domain ISP domain used by Web authentication. Auth-Fail VLAN for Web authentication. This field displays Not Auth-fail VLAN configured if no Auth-Fail VLAN is configured. Interval of Web authentication user detection. This field displays Not Offline-detect configured if online detection for Web authentication users is disabled. Max online users Maximum number of Web authentication users allowed on the interface.
Predefined user roles network-admin network-operator mdc-admin mdc-operator Parameters server-name: Specifies a Web authentication server name, a case-sensitive string of 1 to 32 characters. If you do not specify a Web authentication server, this command displays information about all Web authentication servers. Examples # Display information about Web authentication server aaa.
Page 715
network-operator mdc-admin mdc-operator Parameters interface interface-type interface-number: Specifies an interface by its type and number. If you do not specify an interface, this command displays information about online Web authentication users on all interfaces. slot slot-number: Specifies a card by its slot number. If you do not specify a card, this command displays online Web authentication user information for all cards.
Default No IP address or port number is specified for a Web authentication server. Views Web authentication server view Predefined user roles network-admin mdc-admin Parameters ipv4-address: Specifies the IPv4 address of the Web authentication server. This IP address is that of a Layer 3 interface on the access device and must be routable to and from the Web authentication user.
Page 717
Default The redirection wait time is 5 seconds. Views Web authentication server view Predefined user roles network-admin mdc-admin Parameters period: Specifies the redirection wait time in the range of 1 to 90 seconds. Usage guidelines After a user passes Web authentication and is assigned an authorization VLAN, the user might need to change the IP address of the authentication client.
The IP address and port number in the URL must be the same as the IP address and port number of the Web authentication server. Examples # Specify http://192.168.1.1/portal/ as the redirection URL for Web authentication server wbs. <Sysname> system-view [Sysname] web-auth server wbs [Sysname-web-auth-server-wbs] url http://192.168.1.1:80/portal/ Related commands...
When you configure the parameter-name argument in this command, you must use the URL parameter name supported by the Web browser. Different Web browsers support different URL parameter names. Examples # Add parameters userip and userurl to the redirection URL of portal Web server wbs. <Sysname>...
Examples # Specify VLAN 5 as Web authentication Auth-Fail VLAN on Ten-GigabitEthernet 1/0/1. <Sysname> system-view [Sysname] interface ten-gigabitethernet 1/0/1 [Sysname–Ten-GigabitEthernet1/0/1] port link-type hybrid [Sysname–Ten-GigabitEthernet1/0/1] mac-vlan enable [Sysname–Ten-GigabitEthernet1/0/1] web-auth auth-fail vlan 5 Related commands display web-auth web-auth domain Use web-auth domain to specify an authentication domain for Web authentication users on an interface.
Syntax web-auth enable apply server server-name undo web-auth enable Default Web authentication is disabled. Views Layer 2 Ethernet interface view Predefined user roles network-admin mdc-admin Parameters server-name: Specifies the Web authentication server name, a case-sensitive string of 1 to 32 characters.
Parameters ip-address: Specifies the Web authentication-free subnet address. mask-length: Specifies the mask length of the Web authentication-free subnet address, in the range of 0 to 32. mask: Specifies a mask for the Web authentication-free subnet in dotted decimal notation. all: Specifies all Web authentication-free subnets. User guidelines Web authentication users can access resources in Web authentication-free subnets without being authenticated.
[Sysname-Ten-GigabitEthernet1/0/1] web-auth max-user 32 Related commands display web-auth web-auth offline-detect Use web-auth offline-detect to enable online detection of Web authentication users. Use undo web-auth max-user to disable online detection of Web authentication users. Syntax web-auth offline-detect interval interval undo web-auth offline-detect interval Default Online detection of Web authentication users is disabled.
Default No Web proxy server port numbers are configured on the device. Views System view Predefined user roles network-admin mdc-admin Parameters port number: Specifies a Web proxy server TCP port number, in the range of 1 to 65535. all: Specifies all Web proxy server TCP port numbers. User guidelines By default, proxied HTTP requests cannot trigger Web authentication but are silently dropped.
Page 725
Predefined user roles network-admin mdc-admin Parameters server-name: Specifies a Web authentication server name, a case-sensitive string of 1 to 32 characters. User guidelines In Web authentication server view, you can configure the following parameters and features for the Web authentication server: •...
Document conventions and icons Conventions This section describes the conventions used in the documentation. Command conventions Convention Description Boldface Bold text represents commands and keywords that you enter literally as shown. Italic Italic text represents arguments that you replace with actual values. Square brackets enclose syntax choices (keywords or arguments) that are optional.
Network topology icons Convention Description Represents a generic network device, such as a router, switch, or firewall. Represents a routing-capable device, such as a router or Layer 3 switch. Represents a generic switch, such as a Layer 2 or Layer 3 switch, or a router that supports Layer 2 forwarding and other Layer 2 features.
Hewlett Packard Enterprise Support Center More Information on Access to Support Materials page: www.hpe.com/support/AccessToSupportMaterials IMPORTANT: Access to some updates might require product entitlement when accessed through the Hewlett Packard Enterprise Support Center. You must have an HP Passport set up with relevant entitlements.
Websites Website Link Networking websites Hewlett Packard Enterprise Information Library for www.hpe.com/networking/resourcefinder Networking Hewlett Packard Enterprise Networking website www.hpe.com/info/networking Hewlett Packard Enterprise My Networking website www.hpe.com/networking/support Hewlett Packard Enterprise My Networking Portal www.hpe.com/networking/mynetworking Hewlett Packard Enterprise Networking Warranty www.hpe.com/networking/warranty General websites Hewlett Packard Enterprise Information Library www.hpe.com/info/enterprise/docs Hewlett Packard Enterprise Support Center...
Page 730
part number, edition, and publication date located on the front cover of the document. For online help content, include the product name, product version, help edition, and publication date located on the legal notices page.
Index A B C D E F G H I K L M N O P Q R S T U V W arp source-mac aging-time,623 arp source-mac exclude-mac,624 device-id,66 arp source-mac threshold,624 aaa nas-id profile,1 arp source-suppression enable,618 session-limit,2 arp source-suppression limit,618 accept-lifetime...